A REST API for a finance dashboard system with role-based access control, built with Node.js, Express, and MongoDB.
| Layer | Technology |
|---|---|
| Runtime | Node.js (ES Modules) |
| Framework | Express.js |
| Database | MongoDB with Mongoose |
| Auth | JWT |
| Validation | express-validator |
| API Docs | Swagger UI (OpenAPI 3.0) |
| Testing | Jest + Supertest + MongoMemoryServer |
| Security | express-rate-limit |
.
├── app.js
├── package.json
├── Readme.md
├── config/
│ └── db.js
├── controller/
│ ├── authController.js
│ ├── dashboardController.js
│ ├── transactionController.js
│ └── userController.js
├── middlewares/
│ ├── auth.js
│ ├── errorHandler.js
│ └── validation.js
├── models/
│ ├── Transaction.js
│ └── User.js
├── routes/
│ ├── authRoutes.js
│ ├── dashboardRoutes.js
│ ├── transactionRoutes.js
│ └── userRoutes.js
├── services/
│ ├── authService.js
│ ├── dashboardService.js
│ ├── transactionService.js
│ └── userService.js
├── swagger/
│ └── swagger.js
├── tests/
│ ├── helpers/
│ │ ├── db.js
│ │ └── factories.js
│ ├── Auth.test.js
│ ├── Dashboard.test.js
│ ├── Transactions.test.js
│ └── Users.test.js
└── utils/
└── response.js
- Node.js v18 or newer
- MongoDB local instance
npm installCreate a .env file in the project root:
PORT=3000
MONGODB_URI=mongodb://localhost:27017/finance_dashboard
JWT_SECRET=your_secure_secret
JWT_EXPIRES_IN=7d
NODE_ENV=development- This submission uses a local MongoDB instance for development and runtime.
- The default connection in this project is
mongodb://localhost:27017/finance_dashboard. - MongoDB Atlas is optional and not required for evaluation.
# Development
npm run dev
# Production-like run
npm start- API base URL:
http://localhost:3000/api - Swagger UI:
http://localhost:3000/api/docs - Health check:
http://localhost:3000/health
| Action | Viewer | Analyst | Admin |
|---|---|---|---|
| View transactions | Yes | Yes | Yes |
| Create/update/delete transactions | No | No | Yes |
| View dashboard summary/categories/trends/activity | No | Yes | Yes |
| List and manage users | No | No | Yes |
POST /api/auth/registerPOST /api/auth/loginGET /api/auth/me
GET /api/transactionsGET /api/transactions/:idPOST /api/transactions(admin)PATCH /api/transactions/:id(admin)DELETE /api/transactions/:id(admin, soft delete)
Supported filters on GET /api/transactions:
type=income|expensecategory=...startDate=YYYY-MM-DDendDate=YYYY-MM-DDpage=1limit=10sortBy=datesortOrder=asc|desc
GET /api/dashboard/summaryGET /api/dashboard/categoriesGET /api/dashboard/trends/monthly?months=6GET /api/dashboard/trends/weekly?weeks=8GET /api/dashboard/activity?limit=5
GET /api/users(admin only)GET /api/users/:id(admin only)PATCH /api/users/:id(admin only)PATCH /api/users/:id/deactivate(admin only)
Success:
{ "success": true, "message": "...", "data": { } }Paginated:
{
"success": true,
"message": "...",
"data": [],
"pagination": { "total": 100, "page": 1, "limit": 10, "totalPages": 10 }
}Error:
{ "success": false, "message": "...", "errors": [] }Tests use an in-memory MongoDB instance.
- Runtime API uses local MongoDB from
.env. - Test suite uses MongoMemoryServer and does not require an external database.
npm test
npm run test:coverageCurrent automated coverage in this repository includes:
- Auth flows: register, login, protected profile, token validation, duplicate/invalid input handling, expired/invalid token scenarios
- Transaction flows: CRUD, filtering, pagination, soft delete behavior, and role-based restrictions
- Dashboard flows: summary analytics, category breakdown, trends (monthly/weekly), recent activity, and role-based restrictions
- User management flows: admin-only list/get/update/deactivate paths, self-deactivate protection, role restrictions, and invalid ID/validation handling
Latest run status: 4 test suites, 66 tests passing.
| Assignment Requirement | API/Behavior Coverage | Test Files |
|---|---|---|
| 1. User and Role Management | Register/login/profile flow, admin-only user listing/get/update/deactivate behavior, and self-deactivate protection | tests/Auth.test.js, tests/Users.test.js |
| 2. Financial Records Management | Transaction CRUD, filtering, pagination, soft-delete semantics, invalid ID and validation handling | tests/Transactions.test.js |
| 3. Dashboard Summary APIs | Summary totals, category breakdown, monthly trends, weekly trends, recent activity limits/sorting | tests/Dashboard.test.js |
| 4. Access Control Logic | Viewer/Analyst/Admin enforcement across transactions, dashboard, and user-management routes | tests/Auth.test.js, tests/Transactions.test.js, tests/Dashboard.test.js, tests/Users.test.js |
| 5. Validation and Error Handling | Input validation failures, duplicate conflicts, unauthorized/forbidden states, not-found and invalid token scenarios | tests/Auth.test.js, tests/Transactions.test.js, tests/Users.test.js |
| 6. Data Persistence Behavior | MongoDB-backed route tests via in-memory MongoDB, including model constraints and service logic behavior | tests/helpers/db.js, all route test suites |
- Service layer contains business logic.
- Controllers are thin and focused on request/response handling.
- Transactions use soft delete (
isDeleted) to preserve history. - Dashboard endpoints use MongoDB aggregation for summary analytics.
- Passwords are hashed with bcrypt before storage.
- Centralized error handling is implemented in middleware.