DevstackBackend

A modular Express/Mongoose backend package with built-in Auth, Profile, Email OTP, Push Notifications (Web Push), and Payments (Stripe/Razorpay).

Install

npm install devstackbackend

Quick Start

import dotenv from "dotenv";
import {
  startServer,
  startSignup,
  startSignin,
  EmailOtpService,
  PushNotificationService,
  PaymentService,
  ProfileService,
} from "devstackbackend";

dotenv.config();

const { app } = await startServer({
  mongoUri: process.env.MONGO_URI,
  port: Number(process.env.PORT) || 3000,
});

startSignup(app, process.env.JWT_SECRET);
startSignin(app, process.env.JWT_SECRET);
ProfileService(app, { jwtSecret: process.env.JWT_SECRET });

EmailOtpService(app, {
  emailUser: process.env.EMAIL_USER,
  emailPass: process.env.EMAIL_PASS,
  otpExpiry: 5,
});

PushNotificationService({
  app,
  publicKey: process.env.VAPID_PUBLIC_KEY,
  privateKey: process.env.VAPID_PRIVATE_KEY,
  email: "mailto:admin@example.com",
});

PaymentService(app, {
  stripeSecretKey: process.env.STRIPE_SECRET_KEY,
  stripePublicKey: process.env.STRIPE_PUBLIC_KEY,
  razorpayKeyId: process.env.RAZORPAY_KEY_ID,
  razorpayKeySecret: process.env.RAZORPAY_KEY_SECRET,
});

Environment

MONGO_URI
JWT_SECRET
EMAIL_USER, EMAIL_PASS
VAPID_PUBLIC_KEY, VAPID_PRIVATE_KEY
STRIPE_SECRET_KEY, STRIPE_PUBLIC_KEY
RAZORPAY_KEY_ID, RAZORPAY_KEY_SECRET

Services

Server

What it provides:

A pre-wired Express app with CORS and JSON parsing
A Mongoose connection lifecycle (single connect and ready-to-use models)
A simple bootstrap API returning { app, server } so you can compose services
Export: startServer({ mongoUri, port })
Returns: { app, server }

Auth

What it provides:

Signup with Zod validation and bcrypt password hashing
Signin with secure JWT issuance (1-day expiry)
Minimal error surface with consistent JSON responses
Exports: startSignup(app, jwtSecret), startSignin(app, jwtSecret)
Endpoints:
- POST /signup → Body { name, email, password } → { token, user }
- POST /signin → Body { email, password } → { token, user }

Profile

What it provides:

JWT-authenticated self-service profile retrieval and update
Secure password update with hashing if provided
Clean separation: auth issues a token, profile consumes it
Export: ProfileService(app, { jwtSecret })
Headers: Authorization: Bearer <jwt>
Endpoints:
- GET /me → { id, name, email }
- PUT /me → Body { name?, password? } → { id, name, email }

Email OTP

What it provides:

Email-based OTP delivery using Nodemailer
In-memory OTP issuance and verification with expiry window
Drop-in routes suitable for signup, MFA, or email verification flows
Export: EmailOtpService(app, { emailUser, emailPass, otpExpiry })
Endpoints:
- POST /send-otp → Body { email }
- POST /verify-otp → Body { email, otp }

Push Notifications (Web Push)

What it provides:

Standards-based browser push with VAPID authentication
Endpoints to capture subscriptions and broadcast messages
Optional programmatic API: sendAll, addSubscription
Export: PushNotificationService({ app, publicKey, privateKey, email, subscriptions })
Generate VAPID keys:

npx web-push generate-vapid-keys

Endpoints:
- POST /subscribe → PushSubscription
- POST /send → { title?, body? }
Returned API: sendAll(payload), addSubscription(sub)

Payments

What it provides:

Unified create-payment endpoint abstracting Stripe and Razorpay
Safe server-side initiation returning client consumables (clientSecret/orderId)
Minimal config; enable either provider or both
Export: PaymentService(app, config)
Endpoint: POST /api/payment/create
- Body: { amount, currency = "INR", gateway: "stripe" | "razorpay" }
- Stripe: { provider, clientSecret, publicKey }
- Razorpay: { provider, orderId, amount, currency, keyId }

Data Model

User:

{ email: String, password: String, name: String }

Notes

Use HTTPS in production (push and payments).
Store OTPs/subscriptions in DB for production use.
Keep JWT_SECRET strong and private.

License

ISC

Author

Sanchit Mehta