Gobind
Systems. Network. Cloud. Security.
← Back to projectsin progress

Employee Manager

Full-stack employee management system with secure JWT authentication, role-based access control, and a shared API consumed by both a React web dashboard and an Android mobile client.

ReactTypeScriptNode.jsExpressPostgreSQLKotlinJetpack Compose

Problem

Many small teams need simple task assignment and attendance tracking but existing SaaS solutions are overly complex or expensive. The goal of this project was to design a secure system where both web and mobile clients interact with a single backend while enforcing strict identity and role boundaries.

Constraints

  • Single-tenant MVP architecture
  • No external authentication provider
  • Server-authoritative identity model
  • Shared REST API used by both web and mobile clients

Architecture

  • Node.js + Express REST API deployed on Render
  • PostgreSQL (Neon) as the primary relational database
  • JWT authentication with role-based middleware enforcement
  • React + TypeScript employer dashboard built with Vite
  • Android mobile client written in Kotlin with Jetpack Compose
  • Backend acting as the single source of truth for identity and authorization

Key decisions

Stateless JWT Authentication

JWT tokens allow the backend to authenticate requests without maintaining server-side session state, simplifying horizontal scalability.

Token-Derived Identity

User identity is derived exclusively from the JWT payload rather than request parameters to prevent client-side identity spoofing.

Backend-Enforced Authorization

All sensitive operations validate user roles on the server, ensuring that frontend restrictions cannot be bypassed.

Risks and mitigations

JWT token compromise could allow unauthorized access.

Short-lived tokens and strict role validation on every request reduce the impact of leaked credentials.

Mobile clients may attempt to spoof location data for attendance.

Attendance validation occurs server-side with plans for stronger device verification mechanisms.

Next steps

  • Introduce structured audit logging for sensitive operations
  • Add refresh token rotation for improved authentication security
  • Prepare the schema for multi-tenant support
  • Add automated integration tests for core API flows

Links

GitHub