Overview:
BlogApp-RestAPI is a RESTful API that enables users to interact with blog posts, comments, and likes. It provides comprehensive CRUD operations for users, posts, comments, and likes, offering a fully-featured blog experience with secure authentication and role-based authorization.
- User Management:
User registration, update, delete, and listing. - Post Management:
Create, read, update, and delete blog posts. - Comments & Likes:
Users can comment on and like posts. - JWT Authentication & Refresh Token Security:
Secured endpoints with JWT-based authentication, refresh token rotation, device tracking, and role-based access control. - Advanced Token Management:
Persistent refresh tokens with automatic cleanup, session limits, and secure logout functionality.
- Java 25 & Spring Boot 3.5.6:
API development, dependency injection, and MVC architecture. - Spring Data JPA:
Simplifies database interactions. - Maven:
Project management and dependency tool. - Spring Security & JWT:
Provides secure authentication and authorization. - PostgreSQL:
Primary database for persistent storage.
- The project uses SLF4J with Logback (provided by Spring Boot) for application-wide logging. Many service classes include Lombok's
@Slf4jannotation. - Adjust log levels in
application.properties. Minimal examples:logging.level.root=INFOlogging.level.com.yusufziyrek=DEBUG
The project follows Clean Architecture in a Modular Monolith setup:
- Domain-centric modules:
auth/,user/,post/,comment/,like/(+shared/for cross-cutting concerns) - Layers per module:
domain/→ Entities and domain logicapplication/usecases/→ Orchestrates business rules per actionports/→ Interfaces (e.g., repositories) consumed by use cases
infrastructure/web/→ REST controllers (adapters)persistence/→ JPA adapters (port implementations)config/→ Module wiring
- Request flow: Controller → UseCase → Port → Adapter (JPA) → DB
- CQRS-lite: Read/Write use cases are separated where meaningful
Cross-cutting concerns live under shared/ (Security/JWT, CORS/Cache config, exceptions, common DTOs).
- Users:
Stores user details (ID, username, department, email, role, etc.). - Posts:
Stores post details (ID, title, content, commentCount, likeCount, timestamps, etc.). - Comments:
Stores comments related to posts (ID, userId, postId, likeCount, timestamps, etc.). - Likes:
Stores likes on posts and comments (ID, userId, postId, commentId, timestamps, etc.). - Refresh Tokens:
Persistent refresh tokens with device tracking for secure session management.
POST /api/v1/auth/register:
Register a new user and immediately authenticate (returns access + refresh token).POST /api/v1/auth/login:
Authenticate with email or username + password (returns access + refresh token).POST /api/v1/auth/refresh:
Issue a new access token using a valid (non‑revoked) refresh token.
GET /api/v1/users(ADMIN):
Paginated list of users.GET /api/v1/users/me:
Current authenticated user profile.PUT /api/v1/users/me:
Update own profile data.GET /api/v1/users/{id}(ADMIN or owner):
Fetch user by ID.PUT /api/v1/users/{id}(ADMIN or owner):
Update user by ID.
GET /api/v1/posts:
Paginated list of posts.GET /api/v1/posts/me:
Posts created by the authenticated user.GET /api/v1/posts/{id}:
Post details.POST /api/v1/posts:
Create a post (auth required).PUT /api/v1/posts/{id}:
Update a post (owner only).DELETE /api/v1/posts/{id}:
Delete a post (owner only).
GET /api/v1/posts/{postId}/comments:
Paginated comments for a post.POST /api/v1/posts/{postId}/comments:
Add comment to post (auth required).
GET /api/v1/comments/{id}:
Comment details.PUT /api/v1/comments/{id}:
Update comment (owner only).DELETE /api/v1/comments/{id}:
Delete comment (owner only).
POST /api/v1/posts/{postId}/likes:
Like a post (auth required).DELETE /api/v1/posts/{postId}/likes:
Unlike a post (auth required).GET /api/v1/posts/{postId}/likes:
Paginated likes for a post.GET /api/v1/posts/{postId}/likes/count:
Total like count for a post.
POST /api/v1/comments/{commentId}/likes:
Like a comment (auth required).DELETE /api/v1/comments/{commentId}/likes:
Unlike a comment (auth required).GET /api/v1/comments/{commentId}/likes:
Paginated likes for a comment.
✅ Nested Resources (comments & likes under posts / comments)
✅ Ownership Enforcement (update/delete restricted)
✅ Stateless Auth (JWT in Authorization header)
✅ Consistent Plural Nouns & Hierarchical URLs
-
JWT-Based Authentication:
Each request to a protected endpoint requires a valid JWT token. Users receive both access and refresh tokens upon successful login/registration:Authorization: Bearer <ACCESS_TOKEN> -
Refresh Token Mechanism:
- Persistent Storage: Refresh tokens are stored in database with expiration tracking
- Device Tracking: Each refresh token includes device info and IP address for security
- Token Rotation: New refresh token generated on each refresh request
- Automatic Cleanup: Expired tokens are automatically cleaned up via scheduled tasks
- Session Limits: Maximum 5 active refresh tokens per user (configurable)
-
Security Features:
- Token Revocation: Logout revokes refresh tokens immediately
- Role-Based Access: Spring Security integration with method-level permissions
- Expiration Handling: Separate expiration times for access (1h) and refresh tokens (24h)
- Device Management: Track and limit active sessions per user
- Clone the Repository:
git clone https://github.com/yusufziyrek/blogApp-RestAPI.git
- Navigate to the Project Directory:
cd blogApp-RestAPI - Run the Application Using Maven:
mvn spring-boot:run
- Configure JWT, Email, and Cache Settings:
In yourapplication.properties, set up the following:# JWT Configuration jwt.secret-key=YourSecureSecretKey jwt.expiration-time=3600000 # Access token: 1 hour jwt.refresh-token.expiration-ms=86400000 # Refresh token: 24 hours # Refresh Token Settings jwt.refresh.max-tokens-per-user=5 # Max active sessions per user jwt.refresh.cleanup.enabled=true # Auto cleanup expired tokens # Email Configuration (using Gmail SMTP with TLS) spring.mail.host=smtp.gmail.com spring.mail.port=587 spring.mail.username=your_email@gmail.com spring.mail.password=your_app_password spring.mail.properties.mail.smtp.auth=true spring.mail.properties.mail.smtp.starttls.enable=true spring.mail.properties.mail.smtp.starttls.required=true
- Test Endpoints:
- Authentication:
# Register new user curl -X POST http://localhost:8080/api/v1/auth/register \ -H "Content-Type: application/json" \ -d '{"firstname":"John","lastname":"Doe","username":"johndoe","email":"john@example.com","password":"password123","department":"IT","age":25}' # Login curl -X POST http://localhost:8080/api/v1/auth/login \ -H "Content-Type: application/json" \ -d '{"email":"john@example.com","password":"password123"}' # Refresh token curl -X POST http://localhost:8080/api/v1/auth/refresh \ -H "Content-Type: application/json" \ -d '{"refreshToken":"your_refresh_token_here"}' # Logout curl -X POST http://localhost:8080/api/v1/auth/logout \ -H "Content-Type: application/json" \ -d '{"refreshToken":"your_refresh_token_here"}'
- Authentication:
- Database Configuration:
Update the relevant properties inapplication.properties(orapplication.yml) to point to your preferred database (MySQL, PostgreSQL, etc.).
- Email Verification: Add email verification for new user registrations.
- Caffeine Cache: Integrate caching for frequently accessed endpoints.
- OAuth2 Support: Enable social login via Google and GitHub.
- 2FA (Two-Factor Authentication): Enhance security with OTP-based login.
- Device Management: Web interface for users to manage their active sessions.
- Advanced Token Analytics: Track token usage patterns and suspicious activities.
- Admin Panel: Provide a web interface for managing users, posts, and comments.
For more information, check the GitHub repository.
-
Auth operations
-
Post operations
-
Comment operations
-
Like operations
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
- Yusuf Ziyrek - GitHub Profile
- Spring Boot team for the excellent framework
- Open source community for the tools and libraries used in this project
