Chapter 17: Full Backend Project

Build a complete Task Manager API from scratch, applying everything you have learned about Node.js, Express, Sequelize, and Authentication.

Project Setup

Models

Routes

Controllers

Services

Testing

Quiz

Project Setup

Building a backend project is like building a house. You need a blueprint (project structure), a foundation (setup and config), walls and rooms (models, routes, controllers), and plumbing (services and middleware). Let's build it step by step.

Architecture Diagram

            Task Manager API — Architecture

            Client Request

                ↓

            Routes         (Define URL endpoints)

                ↓

            Middleware    (Auth check, validation)

                ↓

            Controllers   (Handle request/response)

                ↓

            Services      (Business logic)

                ↓

            Models        (Database operations)

                ↓

            Database (SQLite/PostgreSQL)

Folder Structure

Project — Folder Structure

task-manager/
  ├── src/
  │   ├── models/
  │   │   ├── index.js        # Sequelize setup & associations
  │   │   ├── User.js         # User model
  │   │   └── Task.js         # Task model
  │   ├── routes/
  │   │   ├── authRoutes.js   # /api/auth/login, /register
  │   │   └── taskRoutes.js   # /api/tasks CRUD
  │   ├── controllers/
  │   │   ├── authController.js
  │   │   └── taskController.js
  │   ├── services/
  │   │   ├── authService.js
  │   │   └── taskService.js
  │   ├── middleware/
  │   │   └── auth.js         # JWT verification
  │   └── app.js              # Express app setup
  ├── .env                    # Environment variables
  ├── server.js               # Entry point
  └── package.json

Initialize the Project

Terminal — Project Initialization

# Create project and install dependencies
mkdir task-manager && cd task-manager
npm init -y

npm install express sequelize sqlite3 bcrypt jsonwebtoken dotenv
npm install --save-dev nodemon

# Create the folder structure
mkdir -p src/models src/routes src/controllers src/services src/middleware

.env — Environment Variables

PORT=3000
JWT_SECRET=your-super-secret-key-change-this
DB_PATH=./database.sqlite

src/app.js — Express App Setup

require('dotenv').config();
const express = require('express');
const authRoutes = require('./routes/authRoutes');
const taskRoutes = require('./routes/taskRoutes');

const app = express();

// Middleware
app.use(express.json()); // Parse JSON request bodies

// Routes
app.use('/api/auth', authRoutes);
app.use('/api/tasks', taskRoutes);

// Health check
app.get('/api/health', (req, res) => {
    res.json({ status: 'OK', timestamp: new Date().toISOString() });
});

module.exports = app;

server.js — Entry Point

const app = require('./src/app');
const { sequelize } = require('./src/models');

const PORT = process.env.PORT || 3000;

async function start() {
    await sequelize.sync(); // Create tables if they don't exist
    console.log('Database synced!');

    app.listen(PORT, () => {
        console.log(`Server running on http://localhost:${PORT}`);
    });
}

start();

Models

Models define your database tables. Our Task Manager has two models: User and Task.

src/models/index.js — Database Setup

const { Sequelize } = require('sequelize');

const sequelize = new Sequelize({
    dialect: 'sqlite',
    storage: process.env.DB_PATH || './database.sqlite',
    logging: false
});

const User = require('./User')(sequelize);
const Task = require('./Task')(sequelize);

// Define relationships
User.hasMany(Task);
Task.belongsTo(User);

module.exports = { sequelize, User, Task };

src/models/User.js

const { DataTypes } = require('sequelize');

module.exports = (sequelize) => {
    const User = sequelize.define('User', {
        name: {
            type: DataTypes.STRING,
            allowNull: false
        },
        email: {
            type: DataTypes.STRING,
            allowNull: false,
            unique: true,
            validate: { isEmail: true }
        },
        password: {
            type: DataTypes.STRING,
            allowNull: false
        }
    });
    return User;
};

src/models/Task.js

const { DataTypes } = require('sequelize');

module.exports = (sequelize) => {
    const Task = sequelize.define('Task', {
        title: {
            type: DataTypes.STRING,
            allowNull: false,
            validate: { len: [1, 200] }
        },
        description: {
            type: DataTypes.TEXT,
            defaultValue: ''
        },
        status: {
            type: DataTypes.ENUM('pending', 'in-progress', 'completed'),
            defaultValue: 'pending'
        },
        dueDate: {
            type: DataTypes.DATE,
            allowNull: true
        }
    });
    return Task;
};

Routes

Routes define the URL endpoints your API responds to. They map HTTP methods to controller functions.

src/routes/authRoutes.js

const express = require('express');
const router = express.Router();
const authController = require('../controllers/authController');

// POST /api/auth/register
router.post('/register', authController.register);

// POST /api/auth/login
router.post('/login', authController.login);

module.exports = router;

src/routes/taskRoutes.js

const express = require('express');
const router = express.Router();
const taskController = require('../controllers/taskController');
const { authenticate } = require('../middleware/auth');

// All task routes require authentication
router.use(authenticate);

// CRUD routes
router.get('/',       taskController.getAll);     // GET    /api/tasks
router.get('/:id',   taskController.getOne);      // GET    /api/tasks/1
router.post('/',      taskController.create);      // POST   /api/tasks
router.put('/:id',   taskController.update);       // PUT    /api/tasks/1
router.delete('/:id', taskController.remove);      // DELETE /api/tasks/1

module.exports = router;

Notice that router.use(authenticate) protects ALL task routes at once. Every request to /api/tasks/* must include a valid JWT token.

Controllers

Controllers handle the HTTP request and response. They receive data from the client, call the service layer, and send back a response.

src/controllers/authController.js

const authService = require('../services/authService');

exports.register = async (req, res) => {
    try {
        const { name, email, password } = req.body;
        if (!name || !email || !password) {
            return res.status(400).json({ error: 'Name, email, and password are required' });
        }
        const result = await authService.register({ name, email, password });
        res.status(201).json(result);
    } catch (error) {
        const status = error.message === 'Email already registered' ? 400 : 500;
        res.status(status).json({ error: error.message });
    }
};

exports.login = async (req, res) => {
    try {
        const { email, password } = req.body;
        if (!email || !password) {
            return res.status(400).json({ error: 'Email and password are required' });
        }
        const result = await authService.login({ email, password });
        res.json(result);
    } catch (error) {
        res.status(401).json({ error: error.message });
    }
};

src/controllers/taskController.js

const taskService = require('../services/taskService');

exports.getAll = async (req, res) => {
    try {
        const tasks = await taskService.getAllForUser(req.user.userId);
        res.json(tasks);
    } catch (error) {
        res.status(500).json({ error: 'Failed to fetch tasks' });
    }
};

exports.getOne = async (req, res) => {
    try {
        const task = await taskService.getById(req.params.id, req.user.userId);
        if (!task) return res.status(404).json({ error: 'Task not found' });
        res.json(task);
    } catch (error) {
        res.status(500).json({ error: 'Failed to fetch task' });
    }
};

exports.create = async (req, res) => {
    try {
        const task = await taskService.create(req.body, req.user.userId);
        res.status(201).json(task);
    } catch (error) {
        res.status(400).json({ error: error.message });
    }
};

exports.update = async (req, res) => {
    try {
        const task = await taskService.update(req.params.id, req.body, req.user.userId);
        if (!task) return res.status(404).json({ error: 'Task not found' });
        res.json(task);
    } catch (error) {
        res.status(400).json({ error: error.message });
    }
};

exports.remove = async (req, res) => {
    try {
        const deleted = await taskService.remove(req.params.id, req.user.userId);
        if (!deleted) return res.status(404).json({ error: 'Task not found' });
        res.json({ message: 'Task deleted successfully' });
    } catch (error) {
        res.status(500).json({ error: 'Failed to delete task' });
    }
};

Services

Services contain the business logic. They interact with models and handle data processing, keeping controllers thin and focused on HTTP concerns.

src/services/authService.js

const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');
const { User } = require('../models');

const SECRET = process.env.JWT_SECRET || 'dev-secret';

exports.register = async ({ name, email, password }) => {
    const existing = await User.findOne({ where: { email } });
    if (existing) throw new Error('Email already registered');

    const hashedPassword = await bcrypt.hash(password, 10);
    const user = await User.create({ name, email, password: hashedPassword });

    return {
        message: 'Registered successfully',
        user: { id: user.id, name: user.name, email: user.email }
    };
};

exports.login = async ({ email, password }) => {
    const user = await User.findOne({ where: { email } });
    if (!user) throw new Error('Invalid email or password');

    const valid = await bcrypt.compare(password, user.password);
    if (!valid) throw new Error('Invalid email or password');

    const token = jwt.sign(
        { userId: user.id, email: user.email },
        SECRET,
        { expiresIn: '24h' }
    );

    return { message: 'Login successful', token, user: { id: user.id, name: user.name } };
};

src/services/taskService.js

const { Task } = require('../models');

exports.getAllForUser = async (userId) => {
    return Task.findAll({
        where: { UserId: userId },
        order: [['createdAt', 'DESC']]
    });
};

exports.getById = async (id, userId) => {
    return Task.findOne({ where: { id, UserId: userId } });
};

exports.create = async (data, userId) => {
    if (!data.title) throw new Error('Title is required');
    return Task.create({
        title: data.title,
        description: data.description || '',
        status: data.status || 'pending',
        dueDate: data.dueDate || null,
        UserId: userId
    });
};

exports.update = async (id, data, userId) => {
    const task = await Task.findOne({ where: { id, UserId: userId } });
    if (!task) return null;
    return task.update(data);
};

exports.remove = async (id, userId) => {
    const task = await Task.findOne({ where: { id, UserId: userId } });
    if (!task) return null;
    await task.destroy();
    return true;
};

Testing the API

You can test your API using curl commands in the terminal, or use a tool like Postman or Thunder Client.

Terminal — Testing with curl

# 1. Start the server
npm run dev

# 2. Register a new user
curl -X POST http://localhost:3000/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{"name": "Rahul", "email": "rahul@test.com", "password": "secret123"}'

# 3. Login to get a token
curl -X POST http://localhost:3000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "rahul@test.com", "password": "secret123"}'
# Response: { "token": "eyJhbGciOi..." }

# 4. Create a task (use the token from step 3)
curl -X POST http://localhost:3000/api/tasks \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_TOKEN_HERE" \
  -d '{"title": "Learn Express", "description": "Build a REST API"}'

# 5. Get all tasks
curl http://localhost:3000/api/tasks \
  -H "Authorization: Bearer YOUR_TOKEN_HERE"

# 6. Update a task
curl -X PUT http://localhost:3000/api/tasks/1 \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_TOKEN_HERE" \
  -d '{"status": "completed"}'

# 7. Delete a task
curl -X DELETE http://localhost:3000/api/tasks/1 \
  -H "Authorization: Bearer YOUR_TOKEN_HERE"

Pro tip: Add "dev": "nodemon server.js" to the "scripts" section of your package.json. Then npm run dev will auto-restart the server whenever you save a file.

API Endpoint Summary

Method	Endpoint	Auth?	Description
POST	/api/auth/register	No	Create new user
POST	/api/auth/login	No	Login, get token
GET	/api/tasks	Yes	List all user's tasks
GET	/api/tasks/:id	Yes	Get one task
POST	/api/tasks	Yes	Create a task
PUT	/api/tasks/:id	Yes	Update a task
DELETE	/api/tasks/:id	Yes	Delete a task

📝 Chapter 17 Quiz

1. Where does business logic belong in this architecture?

In the routes

In the controllers

In the services

In the models

2. How do we protect all task routes at once?

router.use(authenticate) before defining routes

Add authenticate to each route individually

Check the token in each controller

Put auth logic in the model

3. What is the controller's main responsibility?

Defining database table columns

Handling HTTP request/response and calling services

Hashing passwords and generating tokens

Defining URL endpoints

4. Why does the task service filter by UserId?

To make queries faster

To sort tasks by user

Because Sequelize requires it

So users can only access their own tasks

5. What does sequelize.sync() do when the server starts?

Creates database tables based on model definitions

Deletes all existing data

Connects to a remote database

Runs all pending migrations

← Chapter 16: Advanced Sequelize Chapter 18: Git & GitHub →