University Library RESTful API

A comprehensive RESTful API for managing university library operations including books, users, borrowings, reservations, and analytics. Built with Node.js, Express, and MongoDB.

Table of Contents

• Features
• Technology Stack
• Project Structure
• Installation
• Configuration
• API Endpoints
• Security Features
• Rate Limiting
• Authentication
• Testing
• API Documentation

Features

Core Functionality

• Book Management: CRUD operations for library books with categories, search, and filtering
• User Management: User registration, authentication, profile management
• Borrowing System: Borrow and return books with automatic due date tracking
• Reservation System: Reserve books that are currently unavailable
• Fine Management: Automatic fine calculation for overdue books
• Analytics Dashboard: Library statistics and usage reports (admin only)

Security Features

• JWT-based authentication
• Password hashing with bcrypt
• Request rate limiting
• Input sanitization (NoSQL injection prevention)
• XSS protection
• HTTP Parameter Pollution prevention
• Security headers (Helmet)
• CORS configuration

Technology Stack

Technology	Purpose
Node.js	Runtime environment
Express.js	Web framework
MongoDB	Database
Mongoose	ODM for MongoDB
JWT	Authentication tokens
bcryptjs	Password hashing
Helmet	Security headers
express-rate-limit	Rate limiting
express-mongo-sanitize	NoSQL injection prevention
xss-clean	XSS attack prevention
hpp	HTTP Parameter Pollution prevention
Swagger UI	API documentation
Jest	Testing framework

Project Structure

university-library-restful-api/
├── app.js                 # Express app configuration
├── server.js              # Server entry point
├── package.json           # Dependencies and scripts
├── swagger.json           # API documentation
├── .env                   # Environment variables
├── config/
│   ├── config.js          # Configuration loader
│   └── config.json        # Environment-specific configs
├── middleware/
│   ├── auth.js            # Authentication middleware
│   ├── rateLimiter.js     # Rate limiting configurations
│   └── security.js        # Security middleware
├── models/
│   ├── book.js            # Book model
│   ├── user.js            # User model
│   ├── borrowing.js       # Borrowing model
│   └── reservation.js     # Reservation model
├── routes/
│   ├── bookRoutes.js      # Book endpoints
│   ├── userRoutes.js      # User endpoints
│   ├── borrowingRoutes.js # Borrowing endpoints
│   ├── reservationRoutes.js # Reservation endpoints
│   └── analyticRoutes.js  # Analytics endpoints
├── emails/
│   └── account.js         # Email templates
└── tests/
    └── app.test.js        # Test suite

Installation

Prerequisites

• Node.js (v14 or higher)
• MongoDB (v4.4 or higher)
• npm or yarn

Steps

1. Clone the repository

   git clone <repository-url>
   cd university-library-restful-api

2. Install dependencies

   npm install

3. Configure environment variables

   cp .env.example .env
   # Edit .env with your configuration

4. Start MongoDB

   # Using MongoDB locally
   mongod
   
   # Or using Docker
   docker run -d -p 27017:27017 --name mongodb mongo

5. Start the server

   # Development mode (with hot reload)
   npm run dev
   
   # Production mode
   npm start

6. Access the API

   • API: http://localhost:3000
   • Documentation: http://localhost:3000/api-docs

Configuration

Environment Variables

Create a .env file in the root directory:

# Server Configuration
PORT=3000
NODE_ENV=development

# Database
MONGODB_URL=mongodb://localhost:27017/library

# JWT Configuration
JWT_SECRET=your_secure_jwt_secret_change_in_production
JWT_EXPIRY=7d

# Fine Configuration
FINE_RATE_PER_DAY=1

# CORS
CORS_ORIGIN=*

# Email Configuration (optional)
EMAIL_SERVICE=gmail
EMAIL_USER=your-email@example.com
EMAIL_PASSWORD=your-app-password

API Endpoints

Books

Method	Endpoint	Description	Auth
GET	/api/books	Get all books	Public
GET	/api/books/:id	Get book by ID	Public
POST	/api/books	Create a new book	Admin
PATCH	/api/books/:id	Update a book	Admin
DELETE	/api/books/:id	Delete a book	Admin

Query Parameters for GET /api/books:

• category - Filter by category
• status - Filter by status (Available, Borrowed, etc.)
• search - Full-text search
• sortBy - Sort by field (e.g., title:asc, author:desc)
• limit - Number of results (default: 10)
• skip - Pagination offset

Users

Method	Endpoint	Description	Auth
POST	/api/users	Register new user	Public
POST	/api/users/login	User login	Public
POST	/api/users/logout	Logout current session	Required
POST	/api/users/logoutAll	Logout all sessions	Required
GET	/api/users/me	Get current user profile	Required
PATCH	/api/users/me	Update user profile	Required
POST	/api/users/password-reset	Request password reset	Public
POST	/api/users/pay-fines	Pay outstanding fines	Required

Borrowings

Method	Endpoint	Description	Auth
POST	/api/borrowings	Borrow a book	Required
GET	/api/borrowings/me	Get user's borrowings	Required
GET	/api/borrowings/:id	Get borrowing details	Required
PATCH	/api/borrowings/:id/return	Return a book	Required
PATCH	/api/borrowings/:id/renew	Renew a borrowing	Required

Reservations

Method	Endpoint	Description	Auth
POST	/api/reservations	Create a reservation	Required
GET	/api/reservations/me	Get user's reservations	Required
GET	/api/reservations/:id	Get reservation details	Required
PATCH	/api/reservations/:id/cancel	Cancel a reservation	Required

Analytics (Admin Only)

Method	Endpoint	Description	Auth
GET	/api/analytics/stats	Get library statistics	Admin
GET	/api/analytics/popular-books	Get most borrowed books	Admin
GET	/api/analytics/borrowing-trends	Get borrowing trends	Admin
GET	/api/analytics/category-distribution	Get category distribution	Admin
GET	/api/analytics/top-fines	Get users with highest fines	Admin

Security Features

Authentication

• JWT Tokens: Secure token-based authentication
• Password Hashing: bcrypt with salt rounds for secure password storage
• Session Management: Support for multiple device sessions with logout functionality

Request Security

• Helmet: Sets various HTTP headers for security
• CORS: Configurable Cross-Origin Resource Sharing
• Input Sanitization: Prevents NoSQL injection attacks
• XSS Protection: Sanitizes user input to prevent cross-site scripting
• HPP Protection: Prevents HTTP Parameter Pollution attacks

Data Validation

• Request body size limits (10KB)
• Content-Type validation
• Input validation on all models
• Whitelist-based update operations

Rate Limiting

The API implements multiple rate limiters to prevent abuse:

Limiter	Window	Max Requests	Applied To
API General	15 min	100	All /api routes
Authentication	1 hour	10	Login endpoint
Password Reset	1 hour	3	Password reset endpoint
Resource Creation	1 hour	50	POST endpoints

When rate limited, the API returns:

{
  "error": "Too many requests from this IP, please try again after 15 minutes"
}

Authentication

Register a New User

curl -X POST http://localhost:3000/api/users \
  -H "Content-Type: application/json" \
  -d '{
    "name": "John Doe",
    "email": "john@example.com",
    "password": "password123",
    "role": "student",
    "department": "Computer Science"
  }'

Login

curl -X POST http://localhost:3000/api/users/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "john@example.com",
    "password": "password123"
  }'

Using the Token

Include the JWT token in the Authorization header:

curl -X GET http://localhost:3000/api/users/me \
  -H "Authorization: Bearer <your-jwt-token>"

User Roles

• student: Basic user, can borrow and reserve books
• faculty: Same as student with extended borrowing periods
• librarian: Can manage books and view user borrowings
• admin: Full access including analytics and user management

Testing

Run the test suite:

npm test

Run tests with coverage:

npm test -- --coverage

API Documentation

Interactive API documentation is available at:

http://localhost:3000/api-docs

The documentation uses Swagger UI and provides:

• Complete endpoint listing
• Request/response schemas
• Try-it-out functionality
• Authentication testing

Error Handling

The API uses standard HTTP status codes:

Code	Description
200	Success
201	Created
400	Bad Request
401	Unauthorized
403	Forbidden
404	Not Found
409	Conflict (duplicate)
415	Unsupported Media Type
429	Too Many Requests
500	Internal Server Error

Error response format:

{
  "error": "Error message description"
}

Health Check

The API provides a health check endpoint:

curl http://localhost:3000/health

Response:

{
  "status": "healthy",
  "timestamp": "2024-01-01T00:00:00.000Z",
  "uptime": 3600
}

Contributing

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

License

This project is licensed under the ISC License.

Support

For support, please open an issue in the repository or contact the maintainers.