A comprehensive fintech backend application built with Node.js, TypeScript, Express, and PostgreSQL. This project demonstrates modern backend development practices for financial services, including secure authentication, transaction processing, real-time notifications, and comprehensive API documentation.
- User Authentication & Authorization: JWT-based auth with role-based access control (CUSTOMER, ADMIN, SUPPORT)
- Account Management: Multi-account support with different account types (CHECKING, SAVINGS, BUSINESS)
- Transaction Processing: Secure money transfers, deposits, withdrawals with atomic operations
- Real-time Notifications: WebSocket-based notifications for transaction updates
- API Rate Limiting: Configurable rate limits for financial operations
- Comprehensive Logging: Structured logging with Winston for audit trails
- API Documentation: Interactive Swagger/OpenAPI documentation
- Security Features: Input validation, SQL injection protection, CORS, helmet
- Database Migrations: Prisma ORM with type-safe database operations
- Testing Suite: Jest-based unit and integration tests
- Docker Support: Production-ready containerization
- Runtime: Node.js 18+
- Language: TypeScript
- Framework: Express.js
- Database: PostgreSQL
- ORM: Prisma
- Authentication: JSON Web Tokens (JWT)
- Real-time: Socket.IO
- Testing: Jest, Supertest
- Documentation: Swagger/OpenAPI
- Logging: Winston
- Containerization: Docker & Docker Compose
- Node.js 18 or higher
- PostgreSQL 13 or higher
- Redis (for rate limiting)
- Docker & Docker Compose (optional)
A comprehensive Postman collection is included for testing all API endpoints. It covers user management, authentication, account operations, transactions, notifications, bulk operations, and audit log queries.
- File:
Fintech_API.postman_collection.json - Import this file into Postman to get started quickly.
- Environment Variables: Uses
{{base_url}},{{auth_token}},{{user_id}},{{account_id}}, etc. for easy switching between environments. - Automated Tests: Many requests include test scripts to extract tokens, IDs, and set variables automatically.
- Covers:
- User registration, login, profile, and logout
- Account creation, retrieval, and balance
- Transaction creation (deposit, withdrawal, transfer, payment)
- Bulk transaction operations
- Notification management
- Audit log retrieval and export
- Open Postman and click
Import. - Select the
Fintech_API.postman_collection.jsonfile from the project root. - Set the
base_urlvariable (e.g.,http://localhost:3000). - Run requests in sequence or use the collection runner for automated flows.
Tip: The collection automatically stores tokens and IDs as you run requests, making chained API testing seamless.
git clone <repository-url>
cd fintech
npm installCopy the environment example file and configure your settings:
cp .env.example .envEdit .env with your configuration:
# Database
DATABASE_URL="postgresql://fintech_user:fintech_pass@localhost:5432/fintech_db"
# JWT
JWT_SECRET="your-super-secret-jwt-key-here"
JWT_EXPIRES_IN="7d"
# Server
PORT=3000
NODE_ENV="development"
# Redis (for rate limiting)
REDIS_URL="redis://localhost:6379"
# Logging
LOG_LEVEL="info"Start the database and Redis services:
npm run docker:up- Create a PostgreSQL database named
fintech_db - Update the
DATABASE_URLin your.envfile - Run migrations:
npm run db:migratenpm run db:generatenpm run devnpm run build
npm startThe API will be available at http://localhost:3000
Once the server is running, access the interactive API documentation:
- Swagger UI:
http://localhost:3000/api-docs - OpenAPI JSON:
http://localhost:3000/api-docs.json
Run the test suite:
# Run all tests
npm test
# Run tests in watch mode
npm run test:watch
# Run tests with coverage
npm run test:coverage
### Rate Limiting Tests
The project includes comprehensive rate limiting tests:
- **Unit Tests**: Mock-based tests for rate limiting logic
- **Integration Tests**: Real Redis integration tests
- **Manual Testing**: End-to-end rate limiting verification
```bash
# Test rate limiting manually (requires server to be running)
node scripts/test-rate-limiting.jsThe manual test script will:
- Test global API rate limiting
- Test authentication rate limiting (login/register)
- Test financial operation rate limiting (transactions, transfers, payments)
- Display rate limit headers and responses
# Start all services (app, database, redis)
docker-compose up -d
# View logs
docker-compose logs -f
# Stop services
docker-compose down# Build production image
docker build -t fintech-api .
# Run with environment variables
docker run -p 3000:3000 --env-file .env fintech-apifintech/
βββ src/
β βββ config/ # Configuration files
β βββ controllers/ # Route controllers
β βββ middleware/ # Express middleware
β βββ routes/ # API routes
β βββ services/ # Business logic
β βββ types/ # TypeScript type definitions
β βββ utils/ # Utility functions
β βββ validators/ # Input validation schemas
β βββ app.ts # Express app configuration
β βββ server.ts # Server entry point
βββ prisma/
β βββ schema.prisma # Database schema
βββ tests/ # Test files
βββ logs/ # Application logs
βββ docker-compose.yml # Docker services
βββ Dockerfile # Container configuration
βββ README.md
The API uses JWT tokens for authentication. Include the token in the Authorization header:
Authorization: Bearer <your-jwt-token>
- CUSTOMER: Standard user with access to personal accounts and transactions
- ADMIN: Full system access including user management
- SUPPORT: Read access for customer support operations
POST /api/auth/register- Register new userPOST /api/auth/login- User loginPOST /api/auth/logout- User logout
GET /api/users/profile- Get user profilePUT /api/users/profile- Update user profileGET /api/users- List users (Admin only)
GET /api/accounts- Get user accountsPOST /api/accounts- Create new accountGET /api/accounts/:id- Get account detailsGET /api/accounts/:id/transactions- Get account transactions
POST /api/transactions/transfer- Transfer money between accountsPOST /api/transactions/deposit- Deposit moneyPOST /api/transactions/withdraw- Withdraw moneyGET /api/transactions- Get transaction history
- Input Validation: Comprehensive validation using Joi schemas
- SQL Injection Protection: Prisma ORM with prepared statements
- Rate Limiting: Redis-based rate limiting with different limits for different operations
- Authentication: 5 attempts per 15 minutes per email/IP
- Financial Operations: 3-10 requests per minute per user based on operation type
- Global API: 100 requests per minute per IP
- CORS Protection: Cross-origin request security
- Helmet: Security headers middleware
- Audit Logging: All financial operations are logged
- Password Hashing: bcrypt for secure password storage
The API implements sophisticated Redis-based rate limiting:
- Progressive Limits: Stricter limits for sensitive operations (payments < transfers < transactions)
- Multiple Strategies: Email-based for auth, user-based for financial ops, IP-based for general API
- Graceful Degradation: Fails open if Redis is unavailable
- Rate Limit Headers: All responses include limit status headers
- Admin Controls: Rate limits can be reset for troubleshooting
For detailed rate limiting documentation, see RATE_LIMITING.md
npm run dev- Start development server with hot reloadnpm run build- Build production bundlenpm start- Start production servernpm test- Run testsnpm run test:watch- Run tests in watch modenpm run test:coverage- Run tests with coveragenpm run db:migrate- Run database migrationsnpm run db:generate- Generate Prisma clientnpm run db:studio- Open Prisma Studionpm run docker:up- Start Docker servicesnpm run docker:down- Stop Docker servicesnpm run db:seed- Seed the database with demo/test data
The project uses TypeScript strict mode and follows these conventions:
- ESLint for code linting
- Prettier for code formatting
- Husky for pre-commit hooks (optional)
- Structured Logging: Winston with JSON format
- Log Levels: error, warn, info, debug
- Log Files: Stored in
logs/directory - Audit Trail: All financial operations are logged with user context
- Security Headers: Helmet is used to set secure HTTP headers by default.
- Input Validation & Sanitization: All user input is validated and sanitized using express-validator and Joi schemas.
- Rate Limiting: Redis-based rate limiting is enforced for all endpoints, with progressive limits for sensitive operations.
- Performance Profiling: All API responses include an
X-Response-Timeheader, and slow endpoints are logged for profiling and optimization.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
For support and questions:
- Check the API documentation at
/api-docs - Review the test files for usage examples
- Create an issue in the repository
- Implement payment gateway integration (Stripe, PayPal)
- Add financial analytics and reporting
- Implement KYC (Know Your Customer) verification
- Add support for multiple currencies
- Implement automated compliance checks
- Add GraphQL API alongside REST
- Implement event sourcing for audit compliance