LedgerFlow

A production-ready banking API with ACID compliance, ledger tracking, and enterprise-grade security.

๐Ÿ”’ ACID Compliant
โšก Idempotent Operations
๐Ÿ“Š Immutable Ledger
โšก

Core Features

๐Ÿ”

Security

JWT authentication with token blacklist, bcrypt hashing, and dual middleware for role-based access control.

๐Ÿ’ฐ

Accounts

Multi-account support with ACTIVE status tracking, balance calculation from immutable ledger entries.

๐Ÿ’ธ

Transactions

Money transfers with idempotency keys, 7-second delay for concurrency, and email notifications.

๐Ÿ“Š

Ledger

Immutable audit trail with DEBIT/CREDIT entries, pre-hooks preventing modifications after creation.

๐Ÿ”’

Data Integrity

ACID transactions, race condition prevention, unique constraints on idempotency keys.

๐Ÿ“ง

Notifications

OAuth2 Gmail integration for registration emails and real-time transaction alerts.

๐Ÿ”ฌ

ACID Compliance

Full ACID compliance ensures financial transactions are reliable and secure under concurrent load. Implemented using MongoDB 4.0+ transactions.

A
Atomicity
  • MongoDB sessions with startTransaction/commitTransaction
  • All-or-nothing operations
  • Automatic rollback on failure
  • Prevents partial transactions
C
Consistency
  • Unique idempotencyKey constraint
  • Ledger immutability (no updates/deletes)
  • Balance = Credits - Debits
  • Schema validation & referential integrity
I
Isolation
  • Session-based transaction isolation
  • Atomic idempotency checks
  • 7-second delay between DEBIT/CREDIT
  • Prevents dirty reads
D
Durability
  • Write-after-commit persistence
  • Write-once, read-many ledger
  • Status tracking for recovery
  • Replica set durability
๐ŸŽ“ Key Concepts Applied
  • Normalization: Separate collections for users, accounts, transactions, ledger, tokenBlacklist
  • Indexing: Compound indexes on (user, status) and TTL on blacklist (3-day expiry)
  • Pre-Hooks: Prevent ledger UPDATE/DELETE after creation
  • Aggregation: Balance calculation via ledger aggregation pipeline
โš™๏ธ

Technical Implementation

Database & Data Modeling

๐Ÿ—„๏ธ
MongoDB Transactions
ACID compliance with session-based transactions
๐Ÿ“‹
Schema Design
Normalized collections with ObjectId references
๐Ÿ“‡
Indexing Strategy
Compound indexes, TTL on blacklist (3 days)

Concurrency Control

๐Ÿ”’
Atomic Operations
Session-based transaction isolation
โฑ๏ธ
Idempotency Keys
UUID v4 prevents duplicate processing
โณ
7-Second Delay
Between DEBIT/CREDIT for stability

Security

๐Ÿ”‘
JWT Authentication
Token-based with blacklist support
๐Ÿ›ก๏ธ
Dual Auth Middleware
User auth + system auth for admin
๐Ÿšซ
Token Blacklist
3-day auto-expiry TTL index

Stack

๐Ÿ–ฅ๏ธ
Backend
Node.js + Express.js
๐Ÿ—„๏ธ
Database
MongoDB + Mongoose ODM
๐Ÿ“ง
Email
Nodemailer + OAuth2 Gmail
๐Ÿ“š

API Reference

Authentication

POST
/api/auth/register
Create new user account
name email password
POST
/api/auth/login
Login & get JWT token
email password
POST
/api/auth/logout
Logout & blacklist token
Auth

Account Management

POST
/api/accounts
Create bank account
Auth
GET
/api/accounts
Get all accounts
Auth
GET
/api/accounts/balance
Check balance
Auth
GET
/api/accounts/history
Transaction history
Auth

Transactions

POST
/api/transactions
Transfer money
Auth fromUserAccount toUserAccount amount idempotencyKey
POST
/api/transactions/system/initial-fund
Admin funding
System
๐Ÿ“‹

Guidelines & Important Features

๐Ÿ” Authentication

Include header Authorization: Bearer <token>

๐Ÿšซ Logout

POST /api/auth/logout adds token to blacklist with 3-day auto-expiry

๐Ÿ†” Idempotency

Use unique UUID v4 for each transaction to prevent duplicates

โš–๏ธ Balance

Total Credits - Total Debits (calculated from immutable ledger)

โฑ๏ธ 7-Second Delay

Between DEBIT and CREDIT creation for concurrent request handling

๐Ÿ“ง Notifications

Both sender and receiver get email alerts for all transactions

๐Ÿš€

Quick Start

# 1. Register new user
POST /api/auth/register
{
  "name": "John Doe",
  "email": "john@example.com",
  "password": "secure123"
}

# 2. Login to get token
POST /api/auth/login
{
  "email": "john@example.com",
  "password": "secure123"
}

# 3. Create account
POST /api/accounts
Authorization: Bearer <token>

# 4. Check balance
GET /api/accounts/balance
Authorization: Bearer <token>

# 5. Transfer money (use unique idempotencyKey)
POST /api/transactions
Authorization: Bearer <token>
{
  "fromUserAccount": "acc_123",
  "toUserAccount": "acc_456",
  "amount": 1000,
  "idempotencyKey": "550e8400-e29b-41d4-a716-446655440000"
}

# 6. Logout (blacklist token)
POST /api/auth/logout
Authorization: Bearer <token>
โš ๏ธ Important Notes
  • Same idempotencyKey returns cached transaction - no duplicates
  • Only ACTIVE accounts can perform transactions
  • System endpoints require special SYSTEM_USER authentication
  • Balance endpoint retrieves user's first account by default