Dewan Mahmud's TaskMaster API
Postman Testing Guide (JWT Auth, Projects, Nested Tasks, Ownership Checks)
Base URL
Use this base URL in Postman:
http://localhost:3000If your server runs on another port, replace 3000 with your port.
Important Notes
- All protected routes require: Authorization: Bearer <TOKEN>
- Expected security results:
- 401 if no token
- 403 if a user tries to access another user's data
- Nested task routes: /api/projects/:projectId/tasks
- Task update/delete routes: /api/tasks/:taskId
Step 0: Health Check
GET http://localhost:3000/apiExpected response: Dewan Mahmud TaskMaster API running
Step 1: Register User A
POST http://localhost:3000/api/users/register
Headers:
Content-Type: application/json
Body (raw JSON):
{
"username": "userA",
"email": "a@test.com",
"password": "password123"
}Expected: Status 201
Step 2: Login User A (Save TOKEN_A)
POST http://localhost:3000/api/users/login
Headers:
Content-Type: application/json
Body (raw JSON):
{
"email": "a@test.com",
"password": "password123"
}Expected: Status 200 and a token in the response. Copy and save it as TOKEN_A.
Step 3: Security Test (No Token)
GET http://localhost:3000/api/projectsExpected: Status 401 Unauthorized
Step 4: Create a Project (User A)
POST http://localhost:3000/api/projects
Headers:
Authorization: Bearer TOKEN_A
Content-Type: application/json
Body:
{
"name": "Project A",
"description": "First project"
}Expected: Status 201. Copy the returned _id and save it as PROJECT_ID_A.
Step 5: Get All Projects (User A)
GET http://localhost:3000/api/projects
Headers:
Authorization: Bearer TOKEN_AExpected: Status 200. Should return only User A projects.
Step 6: Create a Task (Nested Route)
POST http://localhost:3000/api/projects/PROJECT_ID_A/tasks
Headers:
Authorization: Bearer TOKEN_A
Content-Type: application/json
Body:
{
"title": "Task A1",
"description": "First task",
"status": "To Do"
}Expected: Status 201. Copy the returned _id and save it as TASK_ID_A.
Step 7: Get Tasks for a Project (User A)
GET http://localhost:3000/api/projects/PROJECT_ID_A/tasks
Headers:
Authorization: Bearer TOKEN_AExpected: Status 200. Returns the list of tasks for that project.
Step 8: Update a Task (User A)
PUT http://localhost:3000/api/tasks/TASK_ID_A
Headers:
Authorization: Bearer TOKEN_A
Content-Type: application/json
Body:
{
"status": "Done"
}Expected: Status 200 and updated task returned.
Step 9: Register User B
POST http://localhost:3000/api/users/register
Headers:
Content-Type: application/json
Body:
{
"username": "userB",
"email": "b@test.com",
"password": "password123"
}Expected: Status 201
Step 10: Login User B (Save TOKEN_B)
POST http://localhost:3000/api/users/login
Headers:
Content-Type: application/json
Body:
{
"email": "b@test.com",
"password": "password123"
}Expected: Status 200 and a token in the response. Save as TOKEN_B.
Step 11: Ownership Tests (User B must get 403)
11A: User B tries to read User A Project
GET http://localhost:3000/api/projects/PROJECT_ID_A
Headers:
Authorization: Bearer TOKEN_BExpected: Status 403 Forbidden
11B: User B tries to create a task in User A project
POST http://localhost:3000/api/projects/PROJECT_ID_A/tasks
Headers:
Authorization: Bearer TOKEN_B
Content-Type: application/json
Body:
{
"title": "Hacker Task"
}Expected: Status 403 Forbidden
11C: User B tries to update User A task
PUT http://localhost:3000/api/tasks/TASK_ID_A
Headers:
Authorization: Bearer TOKEN_B
Content-Type: application/json
Body:
{
"status": "In Progress"
}Expected: Status 403 Forbidden
Step 12: Cleanup (User A)
Delete Task
DELETE http://localhost:3000/api/tasks/TASK_ID_A
Headers:
Authorization: Bearer TOKEN_ADelete Project
DELETE http://localhost:3000/api/projects/PROJECT_ID_A
Headers:
Authorization: Bearer TOKEN_A