Dynamic Blogs is a production-minded full-stack blogging platform built with Express, PostgreSQL, and a vanilla HTML/CSS/JS frontend. It demonstrates end-to-end software engineering across product design, backend architecture, security hardening, role-based administration, and deployment readiness.
- What it is: a content publishing web app with user/community features and administrative governance.
- Why it matters: it balances engineering depth (auth, moderation, security, data model) with practical business utility (ready-to-deploy blog/SaaS foundation).
- Deployment target: Render + PostgreSQL with environment-based configuration.
This project evidences applied software engineering skills beyond CRUD implementation:
- Full-stack ownership: designed and implemented frontend UX, backend API surface, and persistence layer.
- Security engineering: CSRF protection, session security, password hashing, rate limiting, and hardened headers.
- Data modeling: normalized relational schema (users/posts/comments/reactions/bookmarks/notifications/admin audit logs) with index strategy.
- Access control design: layered authorization (user, promoted admin, super admin) with explicit policy enforcement.
- Reliability mindset: health endpoint, startup schema initialization, environment-driven behavior, and deployment hardening for reverse proxies.
Dynamic Blogs can be sold or used as a strong base for a content business MVP:
- Supports publishing workflows: user posts, moderation tools, and community engagement features.
- Reduces time-to-market: deploy-ready architecture with a clean server entrypoint and static frontend.
- Extensible foundation: easy to add premium features (payments, premium content, analytics, newsletter, media uploads).
- Operationally practical: environment-based config, health checks, and straightforward hosting on Render.
- Cost-aware development: SMTP optional fallback mode allows testing email flows before paying for provider tiers.
- Account system: register, login, logout, session auth.
- Post management: create, edit, delete, flag/unflag (admin), category/tag support.
- Discussion layer: threaded comments with replies, edit/delete permissions.
- Engagement: useful/not useful reactions and post bookmarks.
- Notifications: mentions, moderation actions, reactions/comments, and promotion events.
- Profiles: user profile pages, edit profile, avatar presets, password change.
- Search: title/body/tags/author search endpoint for feed filtering.
- Single Super Admin model with promoted admins.
- Admin tools include user listing, author verification controls, admin promotion/demotion, and super-admin transfer.
- Verification workflow includes user-submitted author verification requests with super-admin approve/reject review actions.
- Audit trail support for important admin actions.
- Admin credentials can be updated securely through API endpoints.
- UI and API for email verification are implemented.
- SMTP is optional; when SMTP is not configured, verification codes are logged in server output.
- Enforcement is configurable with
REQUIRE_EMAIL_VERIFICATION:0(default): login-only flow, verification not required for protected write actions.1: verified email required for selected write actions.
- Passwords use bcrypt (legacy SHA-256 hashes are migrated on successful login).
- Session cookies are
httpOnly,sameSite=strict, andsecurein production. - CSRF protection for mutating requests via token header.
- In-memory rate limiters for auth, verification, resend, and write operations.
- Security headers: CSP, HSTS (prod), X-Frame-Options, nosniff, and referrer policy.
- Backend entrypoint:
server.js(Express app, middleware, API routes, startup flow). - Data layer:
db.js(PostgreSQL pool, schema bootstrap, wrapper helpers). - Mail integration:
email.js(SMTP transporter + fallback behavior). - Frontend delivery: static pages/scripts under
public/.
- Backend: Node.js 18+, Express 5, express-session, pg.
- Database: PostgreSQL.
- Frontend: static HTML pages + vanilla JS + CSS under
public/.
- Node.js 18+
- npm
- PostgreSQL database connection URL
npm installCreate .env from .env.example:
Windows PowerShell:
Copy-Item .env.example .envmacOS/Linux:
cp .env.example .envStart the server:
npm startApp default URL: http://localhost:3000
Required for deploy:
DATABASE_URLSESSION_SECRET(16+ chars in production)
Common runtime vars:
NODE_ENV(productionon Render)PORT(Render injects this automatically)TRUST_PROXY=1(recommended behind Render proxy)SESSION_NAME(optional; defaultsid)BCRYPT_ROUNDS(default12, range8-14)PASSWORD_SALT(optional; legacy-only, used to validate old SHA-256 passwords during migration to bcrypt)REQUIRE_EMAIL_VERIFICATION(0or1)
Admin bootstrap vars:
ADMIN_USERNAMEADMIN_PASSWORDADMIN_EMAILADMIN_RESET_ON_BOOT=1(one-time recovery/reset mode)
SMTP vars (optional):
SMTP_HOSTSMTP_PORTSMTP_USERSMTP_PASSSMTP_FROM
- Schema is auto-initialized at startup.
- Primary tables include users, posts, comments, reactions, bookmarks, notifications, and admin audit logs.
- Indexes are created automatically for common query paths.
Build command:
npm installStart command:
npm startSet environment variables in Render dashboard:
NODE_ENV=productionDATABASE_URLSESSION_SECRETTRUST_PROXY=1- Admin bootstrap variables (
ADMIN_USERNAME,ADMIN_PASSWORD,ADMIN_EMAIL)
Health check endpoint:
/api/health
- Digital publication for a personal brand or editorial team.
- Internal knowledge or community portal with moderation controls.
- Starter SaaS for creator platforms where user-generated content is core.
- Portfolio-grade demo for freelance/client acquisition.
- Rate limiting is in-memory (single-instance behavior).
- Automated tests are not configured yet (
npm testis currently a placeholder script). - No password-reset flow yet.
- No file uploads/media storage.
- No OAuth/SSO.
- Startup fails: check
DATABASE_URL, PostgreSQL network access, and Node version. - Login/session issues in production: verify
SESSION_SECRETandTRUST_PROXY=1. - CSRF errors: ensure frontend includes
public/csrf.jsand sends token on writes. - Verification email not sent: set SMTP vars or use console fallback logs.
- Admin lockout: use
ADMIN_RESET_ON_BOOT=1with a newADMIN_PASSWORD, deploy once, then disable it.
- Main server entrypoint:
server.js - Static client files:
public/ - Database layer + schema init:
db.js - Email helper:
email.js
This project is licensed under the GNU Affero General Public License v3.0 (AGPLv3).
See the LICENSE file for full terms.
Profile Button(No unread notification)

Profile Button(Unread Notification)

Per post/story page(End of post/story)

Admin Management(Only Promoted Admin and Super Admin)

Profile Information(Only Super Admin)

Edit Profile(User + Promoted Admin)


























