Dr. Md. Sahidur Rahman Khan — Personal Web Platform (Backend API)
Production-grade, scalable, and secure REST API built with Node.js , Express , TypeScript , and MongoDB . Serves two independent frontends — a public-facing Next.js website and a Vite + React admin dashboard.
This backend API powers the personal web platform of Dr. Md. Sahidur Rahman Khan , Associate Professor of Orthopedic & Trauma Surgery at NITOR, Dhaka. The platform covers his professional identity as a doctor, researcher, and public figure.
The API is a single unified backend that feeds:
Frontend
Domain
Framework
Public Website
www.domain.comNext.js + TypeScript
Admin Dashboard
dashboard.domain.comVite + React + TypeScript
┌─────────────────────────────────────────────────────────────────┐
│ SINGLE BACKEND API │
│ Node.js + Express + TypeScript + MongoDB │
│ api.domain.com │
└──────────────────────┬──────────────────────┬───────────────────┘
│ │
┌─────────────▼──────┐ ┌───────────▼────────────┐
│ PUBLIC FRONTEND │ │ DASHBOARD FRONTEND │
│ (Next.js) │ │ (Vite + React) │
│ www.domain.com │ │ dashboard.domain.com │
└────────────────────┘ └────────────────────────┘
Design pattern: MVC (Model → Service → Controller → Routes)
Request → Route → Validator → Auth Middleware → Role Middleware
→ Activity Log Middleware → Controller → Service → Model
→ Response
Package
Purpose
node.jsRuntime
expressHTTP framework
typescriptType safety across the entire codebase
mongooseMongoDB ODM
zodEnvironment variable schema validation
Package
Purpose
jsonwebtokenAccess + refresh token generation
bcryptPassword hashing (salt rounds: 12)
helmetHTTP security headers + CSP
corsStrict origin whitelisting
express-rate-limitPer-route rate limiting
express-mongo-sanitizeNoSQL injection prevention
xssHTML sanitization
cookie-parserHttpOnly refresh token cookies
uuidOTP + magic token generation
Package
Purpose
multerMultipart upload middleware
@imagekit/nodejsImage and PDF storage
cloudinaryVideo storage (testimonials only)
Package
Purpose
nodemailerTransactional email
whatsapp-web.jsWhatsApp alerts to the doctor
node-telegram-bot-apiTelegram contact notifications
Package
Purpose
dayjsDate formatting
axiosHTTP calls (reCAPTCHA, geolocation)
slugifyURL slug generation (Bangla + English)
mongoose-paginate-v2Cursor-based pagination
compressionGzip response compression
morganHTTP request logging
chalk@4.1.2Dev console colorization
/
├── src/
│ ├── modules/
│ │ ├── auth/
│ │ ├── analytics/
│ │ ├── appointment/
│ │ ├── article/
│ │ ├── research/
│ │ ├── testimonial/
│ │ ├── activity-log/
│ │ ├── app-info/
│ │ ├── search/
│ │ ├── contact/
│ │ ├── upload/
│ │ └── users/
│ ├── middlewares/
│ ├── config/
│ ├── utils/
│ ├── emails/
│ ├── constants/
│ ├── types/
│ └── app.ts
├── server.ts
├── tsconfig.json
├── .env
├── package.json
└── README.md
Method
Endpoint
Access
Description
POST
/loginPublic
Email + password login
POST
/forgot-passwordPublic
Send OTP + magic link via email
POST
/verify-otpPublic
Verify 6-digit OTP
POST
/magic-loginPublic
One-click login via magic token
POST
/reset-passwordPublic
Set new password via magic token
POST
/refresh-tokenPublic
Rotate refresh token from cookie
POST
/logoutProtected
Clear refresh token cookie
Method
Endpoint
Access
Description
GET
/meProtected
Get own profile
PATCH
/meProtected
Update own profile
PATCH
/me/passwordProtected
Change password (with verification)
GET
/Admin only
List all users
POST
/inviteAdmin only
Invite moderator via email
PATCH
/:id/toggle-activeAdmin only
Activate/deactivate user
DELETE
/:idAdmin only
Delete user
Analytics — /api/v1/analytics
Method
Endpoint
Access
Description
POST
/trackPublic
Track page view (fire-and-forget)
GET
/pagesAdmin/Mod
Page views grouped by route
GET
/locationsAdmin/Mod
Visitors grouped by country/city
Appointments — /api/v1/appointments
Method
Endpoint
Access
Description
POST
/Public
Submit appointment (reCAPTCHA v3)
GET
/Admin/Mod
All appointments, paginated + filtered
GET
/chartsAdmin/Mod
Chart data (daily/monthly/all-time)
GET
/:idAdmin/Mod
Single appointment details
PATCH
/:id/statusAdmin/Mod
Confirm or cancel
Articles — /api/v1/articles
Method
Endpoint
Access
Description
GET
/categoriesPublic
All article categories
POST
/categoriesAdmin/Mod
Create category
PATCH
/categories/:idAdmin/Mod
Update category
DELETE
/categories/:idAdmin only
Delete category
GET
/Public
All published articles (filter + paginate)
GET
/:slugPublic
Single article + impression increment
POST
/Admin/Mod
Create article (TipTap HTML)
PATCH
/:idAdmin/Mod
Update article
DELETE
/:idAdmin only
Delete article
Research — /api/v1/research
Method
Endpoint
Access
Description
GET
/Public
All published research (filter + paginate)
GET
/:slugPublic
Single research paper
POST
/Admin/Mod
Add research (PDF upload or DOI link)
PATCH
/:idAdmin/Mod
Update research
DELETE
/:idAdmin only
Delete research
Testimonials — /api/v1/testimonials
Method
Endpoint
Access
Description
GET
/Public
All visible testimonials
POST
/Admin/Mod
Create testimonial
PATCH
/:idAdmin/Mod
Update testimonial
DELETE
/:idAdmin only
Delete testimonial
Activity Logs — /api/v1/activity-logs
Method
Endpoint
Access
Description
GET
/Admin/Mod
All logs (Admin) or own logs (Mod)
DELETE
/:idAdmin/Mod
Delete single log
DELETE
/bulkAdmin/Mod
Bulk delete by IDs
Contact — /api/v1/contact
Method
Endpoint
Access
Description
POST
/Public
Submit message (reCAPTCHA v3)
GET
/Admin/Mod
All messages, paginated + filtered
PATCH
/:id/readAdmin/Mod
Mark message as read
DELETE
/:idAdmin only
Delete message
Universal Search — /api/v1/search
Method
Endpoint
Access
Description
GET
/?q=&type=&limit=Public
Search articles, research, testimonials
Method
Endpoint
Access
Description
POST
/imageAdmin/Mod
Upload single image to ImageKit
POST
/pdfAdmin/Mod
Upload single PDF to ImageKit
POST
/videoAdmin/Mod
Upload single video
We use a decoupled upload strategy via a dedicated POST /api/v1/upload endpoint.
Instead of handling raw multipart/form-data during entity creation (Articles, Research, Testimonials), the frontend pre-uploads the files to the upload endpoints. The API responds with a structured { url, fileId } object, which the frontend then attaches as JSON to the entity endpoints. This keeps entity payloads strictly JSON and significantly simplifies validation and service logic.
Copy .env.example to .env and fill in every value.
# SERVERPORT = 5000
NODE_ENV = development
# DATABASEMONGO_URI = mongodb+srv://...
# REDISREDIS_URL = redis://localhost:6379
# JWTJWT_ACCESS_SECRET = ...
JWT_REFRESH_SECRET = ...
JWT_ACCESS_EXPIRY = 15m
JWT_REFRESH_EXPIRY = 7d
# IMAGEKITIMAGEKIT_PUBLIC_KEY = ...
IMAGEKIT_PRIVATE_KEY = ...
IMAGEKIT_URL_ENDPOINT = ...
# CLOUDINARYCLOUDINARY_CLOUD_NAME = ...
CLOUDINARY_API_KEY = ...
CLOUDINARY_API_SECRET = ...
# EMAILSMTP_HOST = ...
SMTP_PORT = ...
SMTP_USER = ...
SMTP_PASS = ...
# WHATSAPPDOCTOR_WHATSAPP_NUMBER = 880...
WHATSAPP_SESSION_PATH = ./whatsapp-session
# TELEGRAMTELEGRAM_BOT_TOKEN = ...
TELEGRAM_CHAT_ID = ... # 1. Install dependencies# 2. Set up environment variables# 3. Start development server
Script
Command
Description
Development
bun run devStart with auto-restart + path alias resolution
Build
bun run buildCompile TypeScript to dist/
Production
bun startRun compiled JS with path alias resolution
Type Check
bun run type-checkFull TypeScript check, no emit
Password Hashing : bcrypt (salt rounds: 12)Token Security : JWT Access + Refresh token rotationRedis Blacklisting : Refresh tokens invalidated on logout via Redis JTI blacklistSanitization : express-mongo-sanitize + xss globally appliedRate Limiting : Redis-backed limits for auth, search, and trackingCORS : Strict whitelist for public and dashboard domains
Template
Trigger
Recipient
otp-email.template.tsForgot password
Admin/Moderator
magic-login.template.tsMagic login link
Admin/Moderator
moderator-invite.template.tsNew moderator created
New moderator
appointment-confirmation.template.tsAppointment submitted
Patient
contact-confirmation.template.tsContact form submitted
Visitor
password-changed.template.tsPassword reset success
User
Private & Confidential. All rights reserved. Proprietary codebase.