Just wrapped up the core setup for my e-commerce API (Impextech): Auth, Products, and Users. Everything is running on Node.js, Express, and TypeScript. Instead of just getting it to work, I spent this week focusing on security, keeping the code clean, and fixing some annoyances in my dev environment. Here’s a breakdown of what I built and a few "gotchas" I learned along the way. I split everything into Models, Services, and Controllers. It takes a little more time to set up initially, but it makes the route files way easier to read and keeps all the database logic safely in one place. My folder structure looks like this now: src/ ├── controllers/ ├── middleware/ ├── models/ ├── routes/ └── services/ I set up custom middleware using express-jwt. Instead of applying global rules in my main app file, I passed requireLogin and isAdmindirectly into specific routes. // src/routes/user.routes.ts import { Router } from "express"; import { requireLogin, isAdmin } from "../middleware/auth.middleware.js"; import * as userController from "../controllers/user.controller.js"; const router = Router(); // Any logged-in user can view a profile router.get("/:id", requireLogin, userController.getUser); // ONLY Admins can delete accounts router.delete("/:id", requireLogin, isAdmin, userController.deleteUserController); export default router; I realized that Mongoose completely ignores schema validation during update queries by default. If you run findByIdAndUpdate, it just fires the raw command directly to MongoDB and skips your carefully crafted schema rules. { new: true, runValidators: true } to my service functions so bad data doesn't accidentally slip into the database. // src/services/user.service.ts export const updateUser = async (id: string, updateData: any) => { const updatedUser = await User.findByIdAndUpdate( id, updateData, { new: true, runValidators: true } // <-- The magic fix ); if (!updatedUser) throw new Error('User not found'); return updatedUser; }; Got tired of my zsh terminal suggesting old typos and deleted git branches. I finally updated my .zshrc config so it stops saving garbage commands. ~/.zshrc: # Stop saving duplicates and commands that start with a space setopt HIST_IGNORE_ALL_DUPS setopt HIST_IGNORE_SPACE setopt HIST_REDUCE_BLANKS Next on the roadmap is the Cart module. Now that I have users and products, it's time to build the logic so they can actually add items and check out. How do you usually handle role-based access control in your Node apps? Let me know in the comments!