Skip to main content
Authentication is not currently implemented. The codebase has the necessary dependencies installed (jsonwebtoken and bcryptjs) but no authentication logic is active yet. This page describes the planned authentication architecture.

Current State

App CR currently has:
  • ✅ JWT and bcrypt packages installed in package.json
  • JWT_SECRET environment variable defined but unused
  • ✅ User model with email and password fields
  • ❌ No password hashing implementation
  • ❌ No JWT token generation
  • ❌ No authentication middleware
  • ❌ No protected routes

Planned Authentication Flow

When implemented, App CR will use JWT (JSON Web Token) based authentication:
1

User Registration

Users will register by providing an email and password. The password should be hashed using bcryptjs before storage.
const hashedPassword = await bcrypt.hash(password, 10);
2

Token Generation

Upon successful login, the server will generate a JWT token signed with the JWT_SECRET environment variable.
const token = jwt.sign(
  { userId: user.id, email: user.email },
  process.env.JWT_SECRET,
  { expiresIn: '24h' }
);
3

Token Usage

Clients will include the JWT token in the Authorization header for authenticated requests:
Authorization: Bearer <your-jwt-token>
4

Token Verification

Protected endpoints will verify the token before processing requests:
const decoded = jwt.verify(token, process.env.JWT_SECRET);

Technology Stack

App CR’s authentication system is built with the following dependencies:
PackageVersionPurpose
jsonwebtoken^9.0.3JWT token creation and validation
bcryptjs^3.0.3Password hashing and comparison
express^5.2.1HTTP server framework
@prisma/client^6.19.2Database ORM for user management

Available Dependencies

The required authentication packages are already installed:

Password Hashing

bcryptjs ^3.0.3 - Ready to use for hashing passwords with salt factor 10

JWT Tokens

jsonwebtoken ^9.0.3 - Ready to use for token creation and validation

Environment Variables

JWT_SECRET - Already defined in environment configuration (currently unused)

Database Security

Email uniqueness is enforced at the database level using Prisma @unique constraint

User Model

The User model in App CR is defined in the Prisma schema: 
model User {
  id        Int      @id @default(autoincrement())
  email     String   @unique
  password  String
  tasks     Task[]
}
Key Points:
  • email is unique and serves as the username
  • password currently stores plain text (needs hashing implementation)
  • Each user can have multiple tasks (one-to-many relationship)
The @unique constraint on email ensures no duplicate accounts can be created with the same email address.

Environment Configuration

The JWT_SECRET environment variable is defined but not yet used:
.env
JWT_SECRET=your-secret-key-here
Never commit your JWT_SECRET to version control! Use a strong, randomly generated secret in production. You can generate one using:
node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"

Current Implementation

The only implemented endpoint is user registration without authentication: 
curl -X POST http://localhost:3000/usuarios \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "securePassword123"
  }'
Response: 
{
  "id": 1,
  "email": "[email protected]",
  "password": "securePassword123"
}
Passwords are currently stored as plain text. This is insecure and should not be used in production. See the JWT Implementation guide for secure password hashing.

Next Steps

JWT Implementation

Learn how to implement JWT token generation and validation

API Reference

Explore all available authentication endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us