Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Gianluca-X/DigitalMoney/llms.txt

Use this file to discover all available pages before exploring further.

The Auth Service is the security backbone of Digital Money House. It owns all authentication state: user credentials are stored in a dedicated auth_service_db MySQL database, and every protected request across the platform must carry a JWT that this service originally issued. No other service stores passwords — the Auth Service is the single source of truth for identity.

Responsibilities

  • Register new users, persist hashed credentials, and issue an initial JWT
  • Issue JWT tokens (HS256, 24-hour TTL) on successful login
  • Verify email via a UUID-based verification code sent on registration
  • Change email for an authenticated user and publish a UserEmailChangedEvent to RabbitMQ
  • Change password for an authenticated user
  • Update a user’s email or role (called internally by the User Service)
  • Delete an auth record when a user account is fully removed

Endpoints

MethodPathDescription
POST/auth/registerRegister a new user. Returns authId and a signed JWT.
POST/auth/loginAuthenticate with email + password. Returns JWT on success.
GET/auth/verify?code={code}Activate an account by submitting the emailed verification code.
PATCH/auth/change-email?newEmail={email}Replace the current user’s email. Requires a valid Bearer token.
PATCH/auth/change-password?newPassword={p}Replace the current user’s password. Requires a valid Bearer token.
PUT/auth/updateInternal endpoint: update email or role by authId. Called by User Service.
DELETE/auth/delete/{authId}Delete the auth record for the given ID.
/auth/register and /auth/login are the only public endpoints. All other Auth Service endpoints require a valid Authorization: Bearer <token> header.

Request and Response Examples

Register — POST /auth/register
// Request body
{
  "email": "user@example.com",
  "password": "Str0ngP@ssword!"
}

// 200 OK response
{
  "authId": 7,
  "token": "eyJhbGciOiJIUzI1NiJ9...",
  "message": null
}
Login — POST /auth/login
// Request body
{
  "email": "user@example.com",
  "password": "Str0ngP@ssword!"
}

// 200 OK response
{
  "authId": 7,
  "token": "eyJhbGciOiJIUzI1NiJ9...",
  "message": "Login Exitoso"
}
Login returns 400 Bad Request if the password is wrong, and a specific error if the email has not been verified yet. Users must verify their email before they can log in.

JWT Configuration

Tokens are generated with JwtUtil using the HS256 algorithm. The JWT payload includes:
ClaimValue
subUser’s email address
roleUser role, e.g. USER, ADMIN
iatIssued-at timestamp
expExpiration (issued-at + 24 h)
// JwtUtil.generateToken — real implementation
Jwts.builder()
    .setSubject(user.getEmail())
    .claim("role", user.getRol().name())
    .setIssuedAt(new Date())
    .setExpiration(new Date(System.currentTimeMillis() + 86400000)) // 24 h
    .signWith(SignatureAlgorithm.HS256, secret)
    .compact();
All downstream services and the API Gateway share the same jwt.secret value to validate tokens without calling back to the Auth Service. Using the token in requests:
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...

Email Verification Flow

Account activation is a hard requirement: users cannot log in until their email is confirmed.
1. POST /auth/register


2. Auth Service creates user record (emailVerified = false)
   and generates a UUID verification code.


3. Verification email sent to user via Gmail SMTP
   containing the link:
   http://localhost:8085/auth/verify?code=<uuid>


4. User clicks link → GET /auth/verify?code=<uuid>


5. Auth Service sets emailVerified = true,
   clears the verification code (single-use).


6. User can now POST /auth/login successfully.
The verification link passes through the API Gateway (localhost:8085) so the code reaches the Auth Service at localhost:8082 via the /auth/** route.

RabbitMQ Integration

When a user changes their email via PATCH /auth/change-email, the Auth Service publishes a UserEmailChangedEvent to RabbitMQ so that the User Service can update its own copy of the email without a synchronous Feign call.
// From AuthService.changeEmail()
UserEmailChangedEvent event = new UserEmailChangedEvent(user.getId(), newEmail);
rabbitTemplate.convertAndSend("user.exchange", "user.email.changed", event);
PropertyValue
Exchangeuser.exchange
Routing keyuser.email.changed
Queue (consumer)user.email.changed
Exchange typetopic

Auth Entity

The users table in auth_service_db stores only authentication-related fields.
FieldTypeNotes
idLongPrimary key, auto-incremented
emailStringUnique, not null
passwordStringBCrypt-hashed, not null
emailVerifiedbooleanfalse until verification code is used
verificationCodeStringUUID; set to null after verification
rolRoleEnum: USER or ADMIN

Configuration Reference

All properties come from auth-service/src/main/resources/application.yml.
PropertyValue / DefaultDescription
server.port8082HTTP port the service binds to
jwt.secretmySuperUltraSecretKeyForJWTGeneration…Shared HS256 signing key
jwt.expiration86400000 (ms = 24 h)Token lifetime
spring.mail.hostsmtp.gmail.comSMTP host for verification emails
spring.mail.port587SMTP port (STARTTLS)
rabbitmq.hostlocalhostRabbitMQ broker host
rabbitmq.port5672RabbitMQ AMQP port
eureka.instance.hostnameauth-serviceService discovery registration name
# auth-service/src/main/resources/application.yml (key excerpt)
server:
  port: 8082

jwt:
  secret: mySuperUltraSecretKeyForJWTGeneration123456!
  expiration: 86400000   # 1 day in milliseconds

spring:
  mail:
    host: smtp.gmail.com
    port: 587
    properties:
      mail:
        smtp:
          starttls:
            enable: true

Build docs developers (and LLMs) love