Problem it solves: Most MERN projects hand-wave authentication. This system implements real production auth: token lifecycle, role-based access, security hardening, and observability. Key Highlights • Built a JWT-based authentication system using access + refresh tokens with proper expiry handling • Implemented refresh token rotation and server-side token invalidation to prevent replay attacks • Designed Role-Based Access Control (RBAC) for Admin, Manager, and User roles using middleware • Secured auth flows with httpOnly cookies, bcrypt password hashing, and rate-limited endpoints • Added protected backend routes and frontend route guards for authenticated & authorized access • Implemented audit logging to track who did what and when (auth events + protected actions) • Built production-grade health checks (uptime, DB connectivity, memory usage, response time) • Structured backend with clean MVC architecture and reusable middleware • Designed for multi-device sessions with refresh token tracking per login • Deployed-ready with environment-based config and security best practices Tech Stack • Backend: Node.js, Express, MongoDB, Mongoose • Auth & Security: JWT, bcrypt, httpOnly cookies, rate limiting • Frontend: React (protected routes & role-based dashboards) • Architecture: Middleware-driven authorization, token lifecycle management What this demonstrates • Deep understanding of authentication vs authorization • Real-world handling of token expiry, rotation, and logout • Security-first backend design (not tutorial-level auth) • Ability to explain why decisions were made, not just implement them