Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Blackterz2/Proyecto_5to_Semestre/llms.txt

Use this file to discover all available pages before exploring further.

The Auth API handles every step of the user identity lifecycle: account creation, credential verification, and secure password recovery via email. All tokens are JSON Web Tokens signed server-side with HS256. Passwords are never stored in plain text — bcrypt is used with 10 salt rounds before any password reaches the database.
The /register and /login endpoints are rate-limited at the Express router level. Exceeding the limit returns 429 Too Many Requests.

POST /api/auth/register

POST /api/auth/register Creates a new user account. On success, returns the new user’s public profile (id, nombre, email). The password is hashed with bcrypt (10 rounds) before being stored — the plain-text value never touches the database. A JWT is not issued on registration; call POST /api/auth/login after registering to obtain a token. Auth required: No

Request body

nombre
string
required
Full display name for the new account. Cannot be blank.
email
string
required
Valid email address. Must be unique across all registered accounts. Validated against the pattern /^[^\s@]+@[^\s@]+\.[^\s@]+$/.
password
string
required
Plain-text password. Must be at least 6 characters. The server hashes this with bcrypt before storing.

Responses

status
string
Always "ok" on success.
message
string
Human-readable confirmation: "Usuario registrado exitosamente".
data
object
Returned when required fields are missing, the email format is invalid, or the password is shorter than 6 characters.
{ "status": "error", "message": "Los campos nombre, email y password son requeridos" }
{ "status": "error", "message": "Formato de email inválido" }
{ "status": "error", "message": "La contraseña debe tener al menos 6 caracteres" }
{ "status": "error", "message": "El email ya está registrado" }

Example

curl -X POST http://localhost:3000/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "nombre": "Alex Ramos",
    "email": "[email protected]",
    "password": "strongPass1"
  }'

POST /api/auth/login

POST /api/auth/login Authenticates an existing user and returns a signed JWT. The token is valid for 7 days and must be included in the Authorization header of every protected request. Auth required: No

Request body

email
string
required
Registered email address.
password
string
required
Account password in plain text. Compared server-side using bcrypt.compare().

Responses

status
string
"ok"
message
string
"Inicio de sesión exitoso"
data
object
{ "status": "error", "message": "Los campos email y password son requeridos" }
Returned when the email is not found or the password does not match. The message is intentionally generic to prevent user enumeration.
{ "status": "error", "message": "Credenciales inválidas" }
The credentials are correct but the account has been soft-deleted (activo = FALSE).
{ "status": "error", "message": "Esta cuenta ha sido desactivada" }

Example

curl -X POST http://localhost:3000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "strongPass1"
  }'

POST /api/auth/forgot-password

POST /api/auth/forgot-password Initiates the password-reset flow. If the submitted email belongs to an active account, a reset link is sent via email. The server always returns the same success response regardless of whether the email is registered — this prevents user enumeration attacks. Auth required: No
The reset token is generated with crypto.randomBytes(32) (64 hex characters) and expires 1 hour after issuance. Only one valid token exists per user at a time.

Request body

email
string
required
The email address associated with the account to recover.

Responses

{
  "ok": true,
  "mensaje": "Si el email existe, recibirás un correo con las instrucciones"
}
This response is returned whether or not the email is registered. This is intentional — it prevents an attacker from probing which emails are in the system.
{ "ok": false, "mensaje": "El email es obligatorio" }

Example

curl -X POST http://localhost:3000/api/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{ "email": "[email protected]" }'

POST /api/auth/reset-password

POST /api/auth/reset-password Completes the password-reset flow. Accepts the token delivered via email and the new desired password. If the token is valid and unexpired, the user’s password is updated and the token is permanently invalidated so it cannot be reused. Auth required: No

Request body

token
string
required
The 64-character hex token received in the password-reset email.
passwordNueva
string
required
The new plain-text password. Must be at least 8 characters. Hashed with bcrypt (10 rounds) before storage.

Responses

{
  "ok": true,
  "mensaje": "Contraseña actualizada. Ya podés iniciar sesión"
}
{ "ok": false, "mensaje": "El enlace es inválido o ya expiró" }
{ "ok": false, "mensaje": "La nueva contraseña debe tener al menos 8 caracteres" }
{ "ok": false, "mensaje": "Token y nueva contraseña son obligatorios" }

Example

curl -X POST http://localhost:3000/api/auth/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "a3f2e1d4c5b6a7f8...",
    "passwordNueva": "newSecurePass99"
  }'

Build docs developers (and LLMs) love