Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CristianRR94/springCommunity/llms.txt

Use this file to discover all available pages before exploring further.

Spring Community’s authentication model is fully stateless — no server-side session is ever created. Every request is authenticated by a signed JSON Web Token (JWT) carried in the Authorization header. Two token types are in play at all times: a short-lived ACCESS token for regular API calls and a longer-lived REFRESH token used exclusively to obtain a new token pair. Both tokens are persisted in the database so they can be individually revoked before their natural expiry, giving the platform hard logout semantics that pure stateless JWTs cannot provide on their own.

Public vs Protected Endpoints

Not every endpoint requires a token. The table below lists all routes and their access level as configured in WebSecurityConfig.
Endpoint patternAccess levelNotes
/auth/**PublicRegister, login, refresh — no token needed
/api/usuarios/**PublicUser profile reads and creation
/images/**PublicStatic image assets
/ws-chatPublicWebSocket handshake (token checked by STOMP interceptor)
/api/eventos/**AuthenticatedEvent management — requires valid ACCESS token
/api/participantes/**AuthenticatedParticipant management — requires valid ACCESS token
Any other routeAuthenticatedDefaults to requiring authentication
Although the /ws-chat WebSocket handshake URL itself is marked public in Spring Security, the STOMP CONNECT frame is intercepted by JwtChannelInterceptor, which reads the Authorization native header and extracts the username from the token. If a valid username is resolved, a principal is bound to the session; otherwise the connection proceeds with no authenticated principal.

Auth Flow

The complete lifecycle from registration to logout follows these steps:
1

Register a new account

Send a POST request to /auth/crear with a UsuarioEntradaDTO body. On success the server creates the user, issues both token types, and returns a TokenResponse.
curl -X POST http://localhost:8080/auth/crear \
  -H "Content-Type: application/json" \
  -d '{"nombre": "alice", "email": "alice@example.com", "password": "s3cr3t"}'
2

Log in to an existing account

Send a POST request to /auth/login with a LoginDTO body. The server validates the credentials, revokes any existing tokens, and issues a fresh TokenResponse.
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"nombre": "alice", "password": "s3cr3t"}'
3

Call protected endpoints

Include the access token from TokenResponse.access_token in every request to a protected resource using the standard Authorization: Bearer scheme.
curl http://localhost:8080/api/eventos \
  -H "Authorization: Bearer <accessToken>"
4

Refresh an expired access token

When the access token expires (default 1 hour), send a POST to /auth/refresh with the refresh token in the Authorization header. A brand-new token pair is returned and the old tokens are revoked.
curl -X POST http://localhost:8080/auth/refresh \
  -H "Authorization: Bearer <refreshToken>"
5

Log out

Send a POST to /auth/logout with the current access token. The server looks up the owning user in the database and marks all of their tokens as expired and revoked. The Spring SecurityContext is cleared immediately.
curl -X POST http://localhost:8080/auth/logout \
  -H "Authorization: Bearer <accessToken>"

TokenResponse Shape

Both the registration and login endpoints return the same TokenResponse record. The JSON property names use snake_case as declared with @JsonProperty in the source.
{
  "access_token": "eyJhbGciOiJIUzI1NiJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiJ9..."
}
Store these values securely on the client. Use access_token for every API call and keep refresh_token only for the /auth/refresh endpoint.

Error Responses

When authentication fails the API returns a standard error envelope:
{
  "status": 401,
  "message": "JWT token is expired",
  "timestamp": "2024-11-15T10:23:45.123Z"
}
Common HTTP status codes you will encounter in the authentication flow:
HTTP StatusMeaning
400Validation failure on the request body (missing fields, blank values)
401Token is missing, expired, revoked, or of the wrong type
404Referenced user was not found in the database

JWT Token Lifecycle

Signing algorithm, claims structure, expiry defaults, revocation mechanics, and curl examples for refresh and logout.

WebSocket Authentication

How to pass your ACCESS token in a STOMP CONNECT frame and interact with the real-time chat system.

Build docs developers (and LLMs) love