The Sistema de Inventario Tecnológico uses a stateless, cookie-based JWT authentication flow. CallingDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Danielings/Pasantia-Proyecto/llms.txt
Use this file to discover all available pages before exploring further.
POST /api/login with valid credentials returns a signed JSON Web Token stored in an HTTP-only cookie named acceso_token. Every subsequent request to a protected endpoint must include that cookie — the server reads and verifies it via the verificarToken middleware before the route handler runs. This page walks through the full lifecycle: logging in, making authenticated requests, inspecting the current session, and logging out.
Login
POST /api/login
Send the user’s email address and plaintext password. On success the server signs a JWT, sets it as an HTTP-only cookie, and returns a JSON body with basic user information.
Request body
The user’s registered email address.
The user’s plaintext password. The server compares it against the bcrypt hash stored in Firestore.
Success response — 200 OK
Human-readable confirmation, e.g.
"Login exitoso".The signed JWT. This is the same value that is set in the cookie. You do not need to store or send it manually — it is included here for debugging or non-browser clients.
Set-Cookie header
| Attribute | Value | Purpose |
|---|---|---|
HttpOnly | true | Prevents JavaScript from reading the cookie |
SameSite | lax | Allows cross-site navigations while blocking CSRF |
Max-Age | 3600 seconds (1 hour) | Cookie expires after one hour; Express converts maxAge: 3600000 ms to seconds automatically |
Secure | false (development) | See warning below |
Error responses
| Status | Condition | Body |
|---|---|---|
401 | Email not found or password does not match | { "message": "Credenciales inválidas" } |
403 | Account exists but its estado is not "activo" | { "message": "Usuario se encuentra inactivo" } |
500 | Unexpected Firestore or server error | { "message": "Error en el servidor" } |
curl example
-c cookies.txt flag saves the acceso_token cookie to a file so it can be reused in follow-up requests.
Making Authenticated Requests
Every route protected byverificarToken expects the acceso_token cookie to be present on the request. You do not need to add any custom headers — the browser (or your HTTP client) handles this automatically once the cookie is set.
curl
Pass-b cookies.txt to replay the saved cookie jar:
Axios
Create a shared Axios instance withwithCredentials: true. This setting instructs the browser to include cookies on all cross-origin requests made through that instance:
Fetch API
Session Introspection Endpoints
GET /api/me
Returns the decoded JWT payload for the current session without hitting Firestore. Use this for quick permission checks or to populate a session store on page load.
Requires: valid acceso_token cookie.
Response — 200 OK
Always
true when the endpoint returns 200.GET /api/usuarios/me
Returns the full Firestore document for the currently authenticated user, including all profile fields. Use this when you need data beyond what is encoded in the JWT (e.g. cedula, telefono, nombre, apellido, location details).
Requires: valid acceso_token cookie.
Response — 200 OK
Always
true on success.The complete Firestore document merged with the document’s
id.The Firestore document ID for the user.
Email address.
Display username.
Role string.
First name.
Last name.
National ID number.
Contact phone number.
Denormalized location object (region, estado, ciudad, sede, piso, ala).
Error responses
| Status | Condition | Body |
|---|---|---|
404 | Token is valid but no matching Firestore document found | { "autenticado": false, "message": "Usuario no encontrado en la base de datos." } |
500 | Firestore read failure | { "message": "Error interno al obtener el perfil" } |
Logout
POST /api/logout
Clears the acceso_token cookie from the client. After this call the server will reject any further requests that rely on the old cookie.
No request body required.
Response — 200 OK
JWT Token Structure
The token is signed with theJWT_SECRET environment variable (falls back to "lol" in development). It contains the following claims:
| Claim | Type | Description |
|---|---|---|
id | string | Firestore document ID of the user |
rol | string | User role at the time of login |
sede | string | null | Branch derived from ubicacion.sede |
username | string | Display username |
correo | string | Email address |
iat | number | Issued-at timestamp (Unix seconds) |
exp | number | Expiry timestamp — always iat + 3600 (1 hour) |
Middleware Behavior
All protected routes pass through theverificarToken middleware before the route handler executes. The middleware reads req.cookies.acceso_token and branches as follows:
- Cookie absent →
401 { "message": "No autorizado, sesión expirada" } jwt.verifythrows (expired, tampered, or wrong secret) →401 { "message": "Token inválido" }- Valid token → decoded payload is attached to
req.userandnext()is called
Sessions last exactly 1 hour from the moment of login. Once the token expires the next request to a protected endpoint will return
401 and the user must call POST /api/login again to obtain a fresh cookie. There is no silent token refresh mechanism — plan your frontend to detect 401 responses and redirect to the login page.