Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/DincaAlex/unilink/llms.txt

Use this file to discover all available pages before exploring further.

POST /api/login is the only authentication endpoint in the UniLink API. It looks up the submitted credentials in the users table and, on success, returns the account’s email and role. The client uses the role value to decide which interface to render — the student dashboard or the company portal — so it is important that the correct account is used for each workflow.

Endpoint

POST /api/login

Request body

email
string
required
The user’s registered email address.
password
string
required
The user’s password. Passwords are stored and compared as plain text in this prototype.

Response fields

email
string
The authenticated user’s email address, echoed back from the database row.
role
string
The user’s role. Either estudiante (student) or empresa (company).

Examples

Student login

curl -X POST http://localhost:3001/api/login \
  -H "Content-Type: application/json" \
  -d '{"email": "admin@unmsm.edu.pe", "password": "unmsm2025"}'

Company login

curl -X POST http://localhost:3001/api/login \
  -H "Content-Type: application/json" \
  -d '{"email": "maria.fernandez@talenthub.pe", "password": "talenthub2025"}'

Error response — 401 Unauthorized

When the email does not exist in the database or the password does not match, the server returns HTTP 401 with a Spanish-language error message:
{ "error": "Correo o contraseña incorrectos." }

Role-based access

After a successful login, the role value drives the entire React application:
  • estudiante — shows the student feed, application tracker, and student profile editor.
  • empresa — shows the company portal, posted-jobs card, and company profile editor, and also enables POST /api/jobs.
When calling POST /api/jobs as a company user, the frontend sends the stored role as the x-role: empresa request header. Requests to that endpoint without the correct header value receive a 403 Forbidden response.

Security warning

Passwords are stored as plain text in the SQLite database — no hashing, salting, or encryption is applied. This is intentional for a demo prototype to keep the setup dependency-free and easy to inspect. Never use this approach in a production system. A real application must hash passwords with a library such as bcrypt before storing them.

How the frontend uses this endpoint

The React app calls this endpoint through the login(email, password) function defined in src/lib/api.js. On a successful response, the returned object is persisted to localStorage via the useLocalStorageState hook and placed into the global AppDataContext, making the email and role values available to every component without additional network requests. The login page also ships two quick-fill buttons — “Ver como estudiante” and “Ver como empresa” — that pre-populate the form with the two demo accounts seeded into the database on first run.

Build docs developers (and LLMs) love