Staart is a Node.js backend starter for SaaS startups written in TypeScript. It has built-in user management and authentication, billing, organizations, GDPR tools, and more.
Status | |
---|---|
Build | |
Dependencies | |
Community |
Staart is build to work with Staart UI, the frontend starter for SaaS.
- Authentication and user management with JWT
- Two-factor authentication with TOTP
- Setup multiple emails for each account
- OAuth2 login with third-party accounts
- Location-based login verification
- Security event logging and history
- Subscriptions management with Stripe
- Organizations, teams, and user permissions
- Invoices, billing, credit cards, payments
- Rich HTML transactional emails with SES
- GDPR-proof data export and delete
- Affiliates and commission management
- API gateway with API keys and rate limits
- Auto-join members with domain verification
- Decorators and class syntax with OvernightJS
- Injection-proof helpers for querying databases
- Data pagination and CRUD utilities for all tables
- Authorization helpers (can a user do this?)
- TypeScript interfaces for tables (ORM)
- Caching and invalidation for common queries
- User impersonation for super-admin
- Easy redirect rules in YAML
- Store server logs in ElasticSearch every minute
- Use this template or fork this repository
- Install dependencies with
yarn
ornpm i
- Add a
.env
file based on config.ts. - Create MariaDB/MySQL tables based on schema.sql
- Add your controllers in the
./src/controllers
directory - Generate your
app.ts
file usingyarn generate-routes
- Build with
yarn build
and deploy withyarn start
To update your installation of Staart, run the following:
node setup/update.js
If you've used the "Use this template" option on GitHub, you might have to force pull from staart/api
the first time since the histories wouldn't match. You can use the flag --allow-unrelated-histories
in this case.
- Getting started
- Setting up environment variables
- Creating a controller
- Updating Staart
- Response headers
- Throwing errors
- Authorization
- API key authentication
- Redirects
- Serving static files
After forking this repository, you can get started by writing your first endpoint. We do this by creating a new file in the ./src/controllers
folder. For example, create api.ts
:
import { Request, Response } from "express";
import asyncHandler from "express-async-handler";
import { Get, Controller, ClassWrapper, Middleware } from "@overnightjs/core";
import { authHandler, validator } from "../helpers/middleware";
import Joi from "@hapi/joi";
@Controller("api")
@ClassWrapper(asyncHandler)
export class ApiController {
@Get("hello")
@Middleware(
validator(
{ name: Joi.string().min(3).required() },
"query"
)
)
async sayHello(req: Request, res: Response) {
const name = req.query.name;
if (name === "Anand")
return res.json({ text: `Hello, ${name}!`; });
throw new Error("404/user-not-found");
}
}
The above code 20 lines of code with create a new endpoint which can be accessed at example.com/api/hello?name=Anand
, which will respond with a JSON object with the text "Hello, Anand!".
Staart code is easily understandable. You create a new controller, api
, which means all routes in this class will have the prefix /api
. Then, you create an HTTP GET method hello
and use our built-in validator to say that the query parameter name
must be a string
of at least 3 characters.
With the asyncHandler
, you can use async functions and Staart will handle errors for you. In this case, if the provided name is Anand, your function returns a JSON response "Hello, Anand!" and otherwise sends an error 404.
For common tasks such as finding users or authorizing API keys, Staart provides various helper functions.
Let's look at what you need to do if you want to let users be able to delete organizations. For this, you want to check where a user is actually allowed to delete that organization, if they're logged in, and make sure nobody can brute force this endpoint.
import { can } from "../helpers/authorization";
import { Authorizations } from "../interfaces/enum";
import { INSUFFICIENT_PERMISSION } from "@staart/errors";
import { authHandler, bruteForceHandler } from "../helpers/middleware";
import { deleteOrganization } from "../crud/organization";
// Your controller here
@Get("delete/:id")
@Middleware(authHandler)
@Middleware(bruteForceHandler)
async deleteOrg(req: Request, res: Response) {
const orgId = req.params.id;
const userId = res.locals.token.id;
if (await can(userId, Authorizations.DELETE, "organization", orgId)) {
await deleteOrganization(orgId);
return res.status(204);
}
throw new Error(INSUFFICIENT_PERMISSION);
}
In the above example, the Staart helpers and middleware used are:
- Authentication (
authHandler
): Checks if a user's token is valid and addsres.locals.token
; and if it isn't, sends a401 Unauthorized
error. - Brute force prevention (
bruteForceHandler
): Prevents users from making too many requests in a short time, can be configured via./src/config.ts
- Authorization (
can
): Returns whether a user is allowed to perform an action based on their permissions
Of course, we actually prefer to write our logic in the rest
folder and only the handler as a controller. For a deeper dive into Staart, look at our Wiki docs.
Thanks goes to these wonderful people (emoji key):
Anand Chowdhary π» π π¨ |
reallinfo π¨ |
Cool π π€ |
EK π π» |
mattp95 π |
This project follows the all-contributors specification. Contributions of any kind welcome!
The Staart ecosystem consists of open-source projects to build your SaaS startup, written in TypeScript.
Package | ||
---|---|---|
π οΈ Staart API | Node.js backend with RESTful APIs | |
π Staart UI | Frontend Vue.js Progressive Web App | |
π Staart Site | Static site generator for docs/helpdesk | |
π± Staart Native | React Native app for Android and iOS | |
π¨ Staart.css | Sass/CSS framework and utilities |
The development of Staart projects is supported by these wonderful companies. Find us on OpenCollective
Oswald Labs |
O15Y |
Speakup |