Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Gianluca-X/DigitalMoney/llms.txt
Use this file to discover all available pages before exploring further.
The Auth Service is the security backbone of Digital Money House. It owns all authentication state: user credentials are stored in a dedicated auth_service_db MySQL database, and every protected request across the platform must carry a JWT that this service originally issued. No other service stores passwords — the Auth Service is the single source of truth for identity.
Responsibilities
- Register new users, persist hashed credentials, and issue an initial JWT
- Issue JWT tokens (HS256, 24-hour TTL) on successful login
- Verify email via a UUID-based verification code sent on registration
- Change email for an authenticated user and publish a
UserEmailChangedEvent to RabbitMQ
- Change password for an authenticated user
- Update a user’s email or role (called internally by the User Service)
- Delete an auth record when a user account is fully removed
Endpoints
| Method | Path | Description |
|---|
POST | /auth/register | Register a new user. Returns authId and a signed JWT. |
POST | /auth/login | Authenticate with email + password. Returns JWT on success. |
GET | /auth/verify?code={code} | Activate an account by submitting the emailed verification code. |
PATCH | /auth/change-email?newEmail={email} | Replace the current user’s email. Requires a valid Bearer token. |
PATCH | /auth/change-password?newPassword={p} | Replace the current user’s password. Requires a valid Bearer token. |
PUT | /auth/update | Internal endpoint: update email or role by authId. Called by User Service. |
DELETE | /auth/delete/{authId} | Delete the auth record for the given ID. |
/auth/register and /auth/login are the only public endpoints. All other Auth Service
endpoints require a valid Authorization: Bearer <token> header.
Request and Response Examples
Register — POST /auth/register
// Request body
{
"email": "user@example.com",
"password": "Str0ngP@ssword!"
}
// 200 OK response
{
"authId": 7,
"token": "eyJhbGciOiJIUzI1NiJ9...",
"message": null
}
Login — POST /auth/login
// Request body
{
"email": "user@example.com",
"password": "Str0ngP@ssword!"
}
// 200 OK response
{
"authId": 7,
"token": "eyJhbGciOiJIUzI1NiJ9...",
"message": "Login Exitoso"
}
Login returns 400 Bad Request if the password is wrong, and a specific error if the email
has not been verified yet. Users must verify their email before they can log in.
JWT Configuration
Tokens are generated with JwtUtil using the HS256 algorithm. The JWT payload includes:
| Claim | Value |
|---|
sub | User’s email address |
role | User role, e.g. USER, ADMIN |
iat | Issued-at timestamp |
exp | Expiration (issued-at + 24 h) |
// JwtUtil.generateToken — real implementation
Jwts.builder()
.setSubject(user.getEmail())
.claim("role", user.getRol().name())
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + 86400000)) // 24 h
.signWith(SignatureAlgorithm.HS256, secret)
.compact();
All downstream services and the API Gateway share the same jwt.secret value to validate tokens without calling back to the Auth Service.
Using the token in requests:
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
Email Verification Flow
Account activation is a hard requirement: users cannot log in until their email is confirmed.
1. POST /auth/register
│
▼
2. Auth Service creates user record (emailVerified = false)
and generates a UUID verification code.
│
▼
3. Verification email sent to user via Gmail SMTP
containing the link:
http://localhost:8085/auth/verify?code=<uuid>
│
▼
4. User clicks link → GET /auth/verify?code=<uuid>
│
▼
5. Auth Service sets emailVerified = true,
clears the verification code (single-use).
│
▼
6. User can now POST /auth/login successfully.
The verification link passes through the API Gateway (localhost:8085) so the code reaches
the Auth Service at localhost:8082 via the /auth/** route.
RabbitMQ Integration
When a user changes their email via PATCH /auth/change-email, the Auth Service publishes a UserEmailChangedEvent to RabbitMQ so that the User Service can update its own copy of the email without a synchronous Feign call.
// From AuthService.changeEmail()
UserEmailChangedEvent event = new UserEmailChangedEvent(user.getId(), newEmail);
rabbitTemplate.convertAndSend("user.exchange", "user.email.changed", event);
| Property | Value |
|---|
| Exchange | user.exchange |
| Routing key | user.email.changed |
| Queue (consumer) | user.email.changed |
| Exchange type | topic |
Auth Entity
The users table in auth_service_db stores only authentication-related fields.
| Field | Type | Notes |
|---|
id | Long | Primary key, auto-incremented |
email | String | Unique, not null |
password | String | BCrypt-hashed, not null |
emailVerified | boolean | false until verification code is used |
verificationCode | String | UUID; set to null after verification |
rol | Role | Enum: USER or ADMIN |
Configuration Reference
All properties come from auth-service/src/main/resources/application.yml.
| Property | Value / Default | Description |
|---|
server.port | 8082 | HTTP port the service binds to |
jwt.secret | mySuperUltraSecretKeyForJWTGeneration… | Shared HS256 signing key |
jwt.expiration | 86400000 (ms = 24 h) | Token lifetime |
spring.mail.host | smtp.gmail.com | SMTP host for verification emails |
spring.mail.port | 587 | SMTP port (STARTTLS) |
rabbitmq.host | localhost | RabbitMQ broker host |
rabbitmq.port | 5672 | RabbitMQ AMQP port |
eureka.instance.hostname | auth-service | Service discovery registration name |
# auth-service/src/main/resources/application.yml (key excerpt)
server:
port: 8082
jwt:
secret: mySuperUltraSecretKeyForJWTGeneration123456!
expiration: 86400000 # 1 day in milliseconds
spring:
mail:
host: smtp.gmail.com
port: 587
properties:
mail:
smtp:
starttls:
enable: true