- Responsive 3-column layout for desktop
- Mobile-first design with sheet-based navigation
- Mock email and mailbox data
- Google OAuth and standard email/password authentication
- Secure token-based authentication with automatic refresh
- Bulk email actions (Mark as Read/Unread, Delete)
Follow these instructions to get the project running on your local machine.
-
Clone the repository:
git clone https://github.com/TQTuyen/Inbox-Mind.git cd inbox-mind -
Install dependencies:
pnpm install
To run both the frontend and backend servers in parallel for development, use the start script:
pnpm start- Frontend will be available at
http://localhost:4200/ - Backend will be available at
http://localhost:3000/
You can also run them separately:
- Frontend only:
pnpm fe:run - Backend only:
pnpm be:run
- Build for production:
pnpm build - Run tests:
pnpm test - Lint code:
pnpm lint
The application is hosted at: Inbox Mind
-
Build the applications:
pnpm build
This command compiles the frontend and backend applications into the
dist/directory. -
Run the production backend:
node dist/apps/backend/main.js
-
Serve the production frontend: The frontend is a standard static site. You can use any static file server. For example, using
serve:# Install serve globally if you haven't already npm install -g serve # Serve the frontend build output serve -s dist/apps/frontend
Authentication is handled via a robust token-based system designed with security in mind.
-
Access Token (JWT): A short-lived (e.g., 15 minutes) JSON Web Token is stored in memory using a
Zustandstate management store. It is not accessible tolocalStorageorsessionStorage, which mitigates the risk of XSS attacks stealing the token. It is sent in theAuthorizationheader for API requests. -
Refresh Token: A long-lived, single-use refresh token is stored in a secure,
HttpOnlycookie. This is the primary credential for maintaining a user's session.- The
HttpOnlyflag prevents any client-side JavaScript from accessing the cookie, providing a strong defense against XSS. - The
withCredentials: trueflag in theaxiosconfiguration ensures this cookie is automatically sent with requests to the backend authentication endpoints.
- The
- When the access token expires, the backend API returns a
401 Unauthorizedstatus. - An
axiosresponse interceptor on the frontend catches this status. - It makes a "silent" request to the
/api/v1/auth/refreshendpoint. This request automatically includes theHttpOnlyrefresh token cookie. - If the refresh token is valid, the backend issues a new access token.
- The frontend updates the in-memory
Zustandstore with the new access token and automatically retries the original failed request. - The application also uses a proactive refresh mechanism, where it refreshes the token shortly before it expires to improve user experience.
- A
BroadcastChannelis used to sync token updates and logout events across multiple browser tabs.
This architecture ensures that the highly sensitive refresh token is never exposed to the client-side application code, providing a secure session management experience.
-
Google OAuth: Authentication is supported via Google Sign-In. To enable Google OAuth, you need to obtain a Google Client ID from the Google Cloud Console. Follow these steps:
- Go to the Google Cloud Console: Navigate to https://console.cloud.google.com/.
- Create a New Project:
- Click on the project selector in the header (usually next to "Google Cloud").
- Click "New Project."
- Give your project a name (e.g., "InboxMind OAuth") and click "Create."
- Enable the Google People API:
- In the search bar at the top, search for "Google People API" and select it.
- Click "Enable."
- Configure the OAuth Consent Screen:
- In the left navigation menu, go to "APIs & Services" > "OAuth consent screen."
- Choose "External" as the User type and click "CREATE."
- Fill in the required fields on the "OAuth consent screen" (App name, User support email, Developer contact information). For testing, you can use placeholder values.
- Add your test user accounts (email addresses) to the "Test users" section.
- Click "SAVE AND CONTINUE."
- On the "Scopes" page, you don't necessarily need to add any scopes for basic login if you are only getting basic profile info. Click "SAVE AND CONTINUE."
- Review the summary and click "BACK TO DASHBOARD."
- Create OAuth 2.0 Client ID Credentials:
- In the left navigation menu, go to "APIs & Services" > "Credentials."
- Click "+ CREATE CREDENTIALS" and select "OAuth client ID."
- For "Application type," select "Web application."
- Give your OAuth client a name (e.g., "InboxMind Web Client").
- Authorized JavaScript origins: Add
http://localhost:4200(your frontend development URL). If deploying, also add your production frontend URL (e.g.,https://inbox-mind-rosy.vercel.app). - Authorized redirect URIs: This field is often not strictly needed for client-side Google Sign-In using
@react-oauth/googleas it handles the redirects internally. However, if your backend also handles Google authentication, you might need to addhttp://localhost:3000/api/v1/auth/google/callback(or your backend's production URL). - Click "CREATE."
- Copy your Client ID: Your Client ID will be displayed. Copy this string.
- Set Environment Variable: In your frontend project, create a
.envfile (if it doesn't exist) and add your Google Client ID:ReplaceVITE_GOOGLE_CLIENT_ID="YOUR_GOOGLE_CLIENT_ID"
"YOUR_GOOGLE_CLIENT_ID"with the actual Client ID you copied. Restart your frontend development server for the changes to take effect.
-
Dicebear: User avatars are generated dynamically using the Dicebear Avatar API.
-
Hosting Provider: Vercel