Enterprise-grade SaaS platform with intelligent task optimization and real-time collaboration
- Features
- Architecture
- API Endpoints
- Installation
- Environment Configuration
- Running the Application
- WebSocket Events
- Security
- Performance
- Error Handling
- Contributing
- Complete tenant isolation with company-level data segregation
- Tenant-based user management with plan tracking
- Automatic tenant context injection in all operations
- Company-wide settings and configurations
- JWT-based authentication with access & refresh tokens
- Token rotation for enhanced security
- Role-based access control (Admin, Manager, Member)
- Session management with multiple device support
- Cookie-based auth with httpOnly flags
- Logout from all devices functionality
- User registration with company creation
- Profile management with last login tracking
- Active/inactive user states
- Password hashing with bcrypt (salt rounds)
- User session tracking via Redis
- Full CRUD operations for projects
- Team collaboration with member roles (Manager, Member)
- Project prioritization (low, medium, high, urgent)
- Project timeline with start and end dates
- Member management - add/remove team members
- Project statistics - task counts, completion rates
- Activity logging for audit trails
- Hierarchical task structure with subtasks
- Task dependencies (blocks/blocked by relationships)
- Task assignments to multiple team members
- Priority levels (low, medium, high, urgent)
- Status workflow (todo, in-progress, review, done, cancelled)
- Due date tracking with reminders
- Time tracking - estimated vs actual hours
- Task comments with user mentions
- Tags for task categorization
- Activity logs for task history
All AI features are powered by OpenAI GPT-4 and can be toggled via environment configuration:
- Analyzes task dependencies, deadlines, and project context
- Suggests optimal task priorities based on project goals
- Considers team workload and resource availability
- Manager-only feature for controlled AI usage
- Generates optimal task schedules considering dependencies
- Balances workload across team members
- Accounts for task complexity and time estimates
- Optional auto-apply functionality for managers
- Real-time project health scoring
- Risk identification and mitigation suggestions
- Bottleneck detection in task flow
- Progress tracking against timelines
- Actionable insights for project managers
- Context-aware recommendations after task completion
- Considers project priorities and deadlines
- Suggests tasks based on user skills and availability
- Helps maintain project momentum
- In-app notifications with unread tracking
- Notification types:
- Task assigned to you
- Task completed in your project
- Comment mentions
- Project updates
- Deadline reminders
- Bulk operations - mark all as read
- Priority levels for notifications
- WebSocket delivery for instant updates
- Live project updates across all connected clients
- User presence - see who's online in your project
- Typing indicators for comments and descriptions
- Real-time notifications delivery
- Project rooms for isolated communication
- Connection management with auto-reconnect
- Event-driven architecture for instant updates
- Task created/updated/deleted
- Project member added/removed
- Comment added to tasks
- User joined/left project
- Task assignment notifications
- Status changes
- Intelligent caching with automatic invalidation
- Cache strategies:
- Project lists (5-minute TTL)
- Project details (10-minute TTL)
- Task lists (5-minute TTL)
- User sessions (7-day TTL)
- Pattern-based invalidation for related data
- Connection pooling for optimal performance
- Upstash serverless Redis for scalability
- Authentication endpoints: 5 requests per 15 minutes
- API endpoints: 100 requests per minute
- AI endpoints: 50 requests per hour
- User-based and IP-based limiting
- Sliding window algorithm for accurate limiting
- Custom headers with rate limit info
- Helmet.js for security headers
- CORS configuration with whitelisted origins
- Request sanitization and validation
- SQL injection prevention via Mongoose
- XSS protection through input sanitization
- CSRF protection with SameSite cookies
- Environment variable validation with Zod
- Password requirements (minimum 8 characters)
- Bcrypt hashing with salt rounds
- JWT expiration handling
- Refresh token rotation
- Secure cookie flags (httpOnly, secure, sameSite)
- MongoDB with Mongoose ODM
- Schema validation with TypeScript
- Database indexes for query optimization
- Connection pooling (max 10 connections)
- Tenant isolation at document level
- Soft deletes support
- Timestamps on all documents
- Authentication middleware for protected routes
- Authorization middleware for role-based access
- Validation middleware for input sanitization
- Error handling middleware with custom error classes
- Cache middleware for GET requests
- Rate limiting middleware for API protection
- AI feature toggle middleware
- Custom error classes:
AppError- Base error classAuthenticationError- 401 errorsAuthorizationError- 403 errorsValidationError- 400 errorsNotFoundError- 404 errorsConflictError- 409 errors
- Centralized error handler with logging
- Environment-aware error responses
- Stack trace in development mode
taskflow-ai/
├── src/
│ ├── config/ # Configuration and setup
│ │ ├── database.ts # MongoDB connection with retry logic
│ │ ├── redis.ts # Upstash Redis client setup
│ │ └── index.ts # Central config with Zod validation
│ │
│ ├── controllers/ # Request handlers
│ │ ├── auth.controller.ts # Login, register, refresh, logout
│ │ ├── project.controller.ts # Project CRUD + members
│ │ ├── task.controller.ts # Task operations + comments
│ │ └── ai.controller.ts # AI feature endpoints
│ │
│ ├── middleware/ # Express middleware
│ │ ├── auth.middleware.ts # JWT verification & extraction
│ │ ├── cache.middleware.ts # Redis caching layer
│ │ ├── rateLimit.middleware.ts # API rate limiting
│ │ ├── validation.middleware.ts # Input validation
│ │ ├── error.middleware.ts # Global error handler
│ │ └── ai.middleware.ts # AI feature access control
│ │
│ ├── models/ # MongoDB schemas
│ │ ├── base.model.ts # Base model with tenant isolation
│ │ ├── user.model.ts # User with password hashing
│ │ ├── tenant.model.ts # Company/tenant model
│ │ ├── project.model.ts # Project with members
│ │ ├── task.model.ts # Task with dependencies
│ │ └── notification.model.ts # Notification model
│ │
│ ├── routes/ # API route definitions
│ │ ├── auth.routes.ts # /api/auth/*
│ │ ├── project.routes.ts # /api/projects/*
│ │ ├── task.routes.ts # /api/tasks/*
│ │ ├── ai.routes.ts # /api/ai/*
│ │ ├── notification.routes.ts # /api/notifications/*
│ │ └── index.ts # Route aggregator
│ │
│ ├── services/ # Business logic layer
│ │ ├── auth.service.ts # Authentication logic
│ │ ├── project.service.ts # Project operations
│ │ ├── task.service.ts # Task management
│ │ ├── ai.service.ts # OpenAI integration
│ │ ├── socket.service.ts # WebSocket management
│ │ ├── cache.service.ts # Redis operations
│ │ └── notification.service.ts # Notification handling
│ │
│ ├── utils/ # Helper utilities
│ │ ├── errors.ts # Custom error classes
│ │ └── jwt.utils.ts # JWT helpers
│ │
│ ├── types/ # TypeScript definitions
│ │ └── index.ts # Shared types & interfaces
│ │
│ ├── app.ts # Express app configuration
│ └── server.ts # Server entry point
│
├── dist/ # Compiled JavaScript output
├── .env.example # Environment variables template
├── package.json # Dependencies and scripts
├── tsconfig.json # TypeScript configuration
└── railway.json # Railway deployment config
| Method | Endpoint | Description | Rate Limit |
|---|---|---|---|
| POST | /register |
Register new user with company | 5/15min |
| POST | /login |
Login with email/password | 5/15min |
| POST | /logout |
Logout and invalidate tokens | - |
| POST | /refresh-token |
Refresh access token | 5/15min |
| GET | /me |
Get current user profile | - |
| Method | Endpoint | Description | Cache |
|---|---|---|---|
| GET | / |
List all user projects | 5 min |
| GET | /:id |
Get project details | 10 min |
| POST | / |
Create new project | - |
| PUT | /:id |
Update project | - |
| DELETE | /:id |
Delete project | - |
| POST | /:id/members |
Add team member | - |
| DELETE | /:id/members/:memberId |
Remove member | - |
| Method | Endpoint | Description |
|---|---|---|
| GET | /projects/:projectId/tasks |
List project tasks |
| GET | /tasks/:id |
Get task details |
| POST | /projects/:projectId/tasks |
Create new task |
| PUT | /tasks/:id |
Update task |
| DELETE | /tasks/:id |
Delete task |
| PATCH | /tasks/:id/status |
Update task status |
| GET | /tasks/:id/subtasks |
Get subtasks |
| POST | /tasks/:id/dependencies |
Add dependency |
| DELETE | /tasks/:id/dependencies/:depId |
Remove dependency |
| POST | /tasks/:id/comments |
Add comment |
| Method | Endpoint | Description | Requirements |
|---|---|---|---|
| POST | /projects/:projectId/ai/prioritize |
AI task prioritization | Manager role |
| POST | /projects/:projectId/ai/schedule |
Generate AI schedule | Manager role |
| POST | /tasks/:taskId/ai/suggest-next |
Get next task suggestions | Task completed |
| POST | /projects/:projectId/ai/analyze-health |
Analyze project health | Project member |
| Method | Endpoint | Description |
|---|---|---|
| GET | / |
Get user notifications |
| PUT | /:id/read |
Mark notification as read |
| PUT | /read-all |
Mark all as read |
- Node.js v18+
- MongoDB v5.0+
- Redis/Upstash account
- OpenAI API key (for AI features)
- Clone the repository
git clone https://github.com/yourusername/taskflow-ai.git
cd taskflow-ai- Install dependencies
npm install- Configure environment
cp .env.example .env
# Edit .env with your configurationCreate a .env file with the following variables:
# Server Configuration
NODE_ENV=development
PORT=3000
# MongoDB Configuration
MONGO_URI=mongodb://localhost:27017/taskflow
# For MongoDB Atlas:
# MONGO_URI=mongodb+srv://username:password@cluster.mongodb.net/taskflow
# JWT Configuration
JWT_SECRET=your-super-secret-key-minimum-32-characters
JWT_EXPIRE=7d
# Redis Configuration (Upstash)
REDIS_URL=rediss://default:password@endpoint.upstash.io:6379
CACHE_TTL=3600
# OpenAI Configuration
OPENAI_API_KEY=sk-your-openai-api-key
OPENAI_MODEL=gpt-4-turbo-preview
AI_FEATURES_ENABLED=true
# CORS Origins (comma-separated for multiple)
# Production example:
# CORS_ORIGINS=https://yourdomain.com,https://app.yourdomain.comnpm run dev
# Server runs on http://localhost:3000
# Watches for file changes with nodemon# Build TypeScript to JavaScript
npm run build
# Run the compiled application
npm start# Using Docker Compose
docker-compose up -d
# Or build manually
docker build -t taskflow-ai .
docker run -p 3000:3000 --env-file .env taskflow-ai# Check if API is running
curl http://localhost:3000/health
# Check with features status
curl http://localhost:3000/api/healthconst socket = io('http://localhost:3000', {
auth: { token: 'your-jwt-token' },
transports: ['websocket', 'polling']
});| Event | Description | Payload |
|---|---|---|
join:project |
Join project room | projectId: string |
leave:project |
Leave project room | projectId: string |
typing:start |
Start typing indicator | { projectId, taskId? } |
typing:stop |
Stop typing indicator | { projectId, taskId? } |
| Event | Description | Payload |
|---|---|---|
task:created |
New task created | { task, projectId, timestamp } |
task:updated |
Task updated | { task, changes, projectId } |
task:deleted |
Task deleted | { taskId, projectId } |
task:assigned:you |
Task assigned to user | { task, projectId } |
comment:added |
Comment added to task | { taskId, comment, projectId } |
project:updated |
Project details updated | { project } |
project:member:added |
Member added to project | { member, projectId } |
notification:new |
New notification | { notification } |
user:joined |
User joined project | { userId, projectId } |
user:left |
User left project | { userId, projectId } |
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Content-Security-Policy configured
- Referrer-Policy: no-referrer
sequenceDiagram
Client->>API: POST /auth/login
API->>DB: Verify credentials
API->>Client: Access Token + Refresh Token (cookies)
Client->>API: Request with Bearer Token
API->>API: Verify JWT
API->>Client: Protected Resource
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 2024-01-01T00:00:00.000Z- GET Request Caching: Automatic caching for GET endpoints
- Cache Keys Structure:
taskflow:resource:identifier - Invalidation: Automatic on mutations (POST, PUT, DELETE)
- TTL Management: Configurable per resource type
- Indexes: On frequently queried fields (tenantId, userId, projectId)
- Compound Indexes: For complex queries
- Connection Pooling: Max 10 concurrent connections
- Query Optimization: Lean queries where applicable
- Authentication: < 200ms
- Project List: < 100ms (cached)
- Task Operations: < 150ms
- AI Features: < 3000ms
{
"success": false,
"error": {
"message": "Error description",
"stack": "Stack trace (development only)",
"details": {
// Additional error details in development
}
}
}200- Success201- Created400- Bad Request / Validation Error401- Authentication Required403- Forbidden / Unauthorized404- Resource Not Found409- Conflict (duplicate resource)429- Rate Limit Exceeded500- Internal Server Error
- Fork the repository
- Create feature branch (
git checkout -b feature/AmazingFeature) - Make your changes
- Run linting (
npm run lint) - Format code (
npm run format) - Commit changes (
git commit -m 'Add AmazingFeature') - Push to branch (
git push origin feature/AmazingFeature) - Open Pull Request
- TypeScript: Strict mode enabled
- ESLint: Configured for Node.js/TypeScript
- Prettier: Auto-formatting on save
- Naming: CamelCase for variables, PascalCase for classes
- Comments: JSDoc for public APIs