Gobind Preet Singh
Systems. Network. Cloud. Security.
← Back to projects
shipped

Employee Manager

Full-stack employee management system with geofenced attendance verification, JWT authentication, role-based access control, audit logging, and a shared backend consumed by both a React employer dashboard and an Android employee client.

ReactTypeScriptNode.jsExpressPostgreSQLKotlinJetpack Compose

Problem

The goal was to build a system where an employer web dashboard and an employee mobile app consume the same backend while the server remains authoritative for identity, authorization, attendance validation, and auditability.

Constraints

  • Single-tenant MVP architecture
  • No external authentication provider
  • Server-authoritative identity model
  • Shared REST API used by both web and mobile clients

Architecture

  • Node.js + Express REST API deployed on Render
  • PostgreSQL as the primary relational database
  • JWT authentication with role-based middleware enforcement
  • React + TypeScript employer dashboard built with Vite
  • Android employee client written in Kotlin with Jetpack Compose
  • Backend acting as the single source of truth for identity, authorization, and attendance validation

Key decisions

Stateless JWT Authentication

JWT tokens allow the backend to authenticate requests without maintaining server-side session state, simplifying horizontal scalability.

Token-Derived Identity

User identity is derived exclusively from the JWT payload rather than request parameters to prevent client-side identity spoofing.

Backend-Enforced Authorization

All sensitive operations validate user roles on the server, ensuring that frontend restrictions cannot be bypassed.

Risks and mitigations

JWT token compromise could allow unauthorized access.

Short-lived tokens and strict role validation on every request reduce the impact of leaked credentials.

Mobile clients may attempt to spoof location data for attendance.

Attendance validation occurs server-side with plans for stronger device verification mechanisms.

Next steps

  • Add refresh token rotation for stronger authentication security
  • Implement a secure photo upload pipeline for attendance verification
  • Strengthen anti-location-spoofing protections in the mobile attendance flow
  • Broaden automated coverage for attendance, task, and mobile workflows