Production-ReadySenior

CAPSULE

Production-Grade Visual Vlogging Platform with Security-First Architecture

Description

Full-stack vlogging platform implementing hardened stateless authentication with HttpOnly Secure cookie-based token delivery, JWT refresh token rotation with reuse detection, Redis cache-aside performance strategy, Bull-backed asynchronous processing, strict environment validation, and production-grade observability through structured logging, Prometheus metrics, Sentry error monitoring, and correlation ID tracing.

Problem Solved

Demonstrates a security-first and production-aware system architecture for a high-concurrency social content platform. The project tackles challenges such as stateless authentication security, safe token lifecycle management, asynchronous background processing, AI-powered moderation pipelines, scalable caching strategies, and real-time system observability.

Architecture

Layered Monorepo Architecture with Security Middleware, Async Workers, Observability, and AI Moderation. Client (React SPA) -> Express Middleware Stack -> Controller Layer -> Service Layer -> MongoDB + Redis Cache -> Bull Worker Processes -> External Services (Groq AI, Cloudinary, Email APIs).

Tech Stack

Node.js 20ExpressMongoDBMongooseRedisBullReact 18ViteTanStack QueryJWTWinstonPrometheusSentryCloudinaryGroq AITailwind CSS

Tags

JWT RotationRefresh Token Reuse DetectionHttpOnly Cookie AuthenticationTiered Rate LimitingBull QueuesRedis Cache-AsideAI ModerationPrometheus MetricsQueue Metrics MonitoringDead Letter QueueSentry Error TrackingStructured LoggingCorrelation IDDefense-in-DepthStateless APILayered ArchitectureProduction Observability

Scalability

Stateless APIHorizontal scaling readyRedis-backed queue processingIndexed MongoDB queriesCache invalidation strategyAsync worker architectureExternal CDN media delivery

Designed for horizontal scalability through stateless application servers, Redis-backed queues, cache-aside optimization, and asynchronous processing pipelines. The architecture supports scaling API nodes independently while Redis and MongoDB manage distributed state.

Architecture Breakdown

System Architecture

Client (React SPA)
Edge Security Middleware
CORS Policy
Helmet Security Headers
Rate Limiter
JSON Parser
Auth Middleware (JWT Cookie)
Express Router
Controller Layer
Auth Controller
Video Controller
Comment Controller
User Controller
Service Layer
Auth Service
Video Service
Comment Service
User Service
Data Layer
MongoDB Database
Redis Cache
Feed Cache
Session Store
Rate Limit Store
Async Queue System
Bull Queue Manager
Email Worker
AI Moderation Worker
Groq LLM API
HuggingFace NLP Model
Trust Score Evaluator
Account Cleanup Worker
Observability Logging & Telemetry
Prometheus Metrics
Sentry Error Tracking
Winston Structured Logs
Correlation ID Tracing

Post-Forensic Engineering Improvements

Security Hardening

  • Removed accessToken and refreshToken from JSON API responses to eliminate XSS token exposure.
  • All authentication tokens are now delivered via HttpOnly and Secure cookies.
  • Refresh token lifecycle hardened using rotation and reuse detection.
  • Authentication flow redesigned to prevent client-side access to sensitive tokens.
  • Strict CORS allowlist implemented to block unauthorized cross-origin requests.
  • Helmet middleware integrated to enforce modern HTTP security headers.
  • MongoDB query sanitization added to prevent NoSQL injection.

Configuration & Secrets Management

  • Removed unsafe fallback secrets such as 'testsecret' from JWT configuration logic.
  • Implemented strict environment validation during application boot.
  • Application now terminates startup if critical environment variables are missing.
  • Critical variables validated include JWT_SECRET, REDIS_URL, FRONTEND_URL, and RESEND_API_KEY.
  • Removed hardcoded credentials from database seeding scripts.
  • Database seeding now requires explicit SEED_PASSWORD environment configuration.

Production Observability

  • Integrated Sentry v10 SDK for centralized error monitoring.
  • Prometheus metrics implemented using prom-client.
  • Queue telemetry exposed including queue_waiting, queue_active, queue_completed, and queue_failed.
  • Redis Bull queue monitoring dashboards implemented.
  • Correlation ID tracing added to track requests across services.
  • Structured logging implemented using Winston with log rotation.

Async Processing Reliability

  • Dead Letter Queue system implemented for permanently failed background jobs.
  • DLQ monitoring service isolates poisoned jobs automatically.
  • Queue spike detector alerts when failure rates exceed operational thresholds.
  • Exponential retry strategy implemented for failed worker tasks.
  • Background worker failures are isolated from primary API request lifecycle.

CI/CD Pipeline Stability

  • Resolved ESLint formatting violations that previously broke CI pipelines.
  • Strict lint enforcement enabled with npm run lint -- --max-warnings=0.
  • CI pipeline verified locally to match GitHub Actions workflow.
  • Repository now maintains zero lint violations.

Test Infrastructure Improvements

  • Security tests updated to support HttpOnly cookie authentication.
  • Token assertions migrated from JSON responses to Set-Cookie header parsing.
  • Implemented cookie extraction helpers for integration tests.
  • Injected safe environment variables during Jest bootstrap.
  • Achieved 162/162 passing unit and integration tests.

Engineering Outcome

  • Authentication flow hardened against token leakage vulnerabilities.
  • Application configuration now fails securely during invalid boot conditions.
  • Background worker reliability improved with DLQ isolation.
  • Production monitoring established using Sentry and Prometheus.
  • CI/CD pipeline stabilized through strict lint enforcement.
  • Full automated test suite passing across all security pathways.

Engineering Decisions

  • Stateless JWT authentication to enable horizontal scaling
  • HttpOnly cookie token delivery to eliminate XSS token exposure risk
  • Refresh token rotation with reuse detection to prevent token replay attacks
  • Cache-aside strategy to reduce database load on read-heavy endpoints
  • Bull queue architecture to offload expensive tasks from request lifecycle
  • Normalized engagement counters (likeCount, commentCount) for faster feed queries
  • Centralized error handling middleware for consistent API responses
  • Correlation ID tracing for distributed request debugging
  • Graceful degradation when Redis becomes unavailable
  • Express app/server separation to allow Jest imports without DB initialization
  • Async moderation pipeline to maintain low request latency
  • Strict environment validation preventing insecure boot configurations

Production Readiness

Environment variable validation with secure boot failure
Strict configuration validation at startup
Removal of insecure fallback secrets
Graceful exception handling
Health check endpoints
Structured logging with rotation
Prometheus metrics integration
Queue monitoring and retry mechanisms
Dead-Letter Queue failure isolation
Sentry production error tracking
Role-based authorization
Resource ownership validation
Secure cookie authentication
ESLint zero-warning CI enforcement
162 passing unit and integration tests
No automated CI/CD deployment pipeline
No database migration tooling
No distributed tracing APM solution

Media Proof

Project Videos

Project Screenshots

CAPSULE Screenshot 1
Click to view
CAPSULE Screenshot 2
Click to view