Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JaiderT/CoffeePrice/llms.txt

Use this file to discover all available pages before exploring further.

CoffePrice’s session endpoints let users authenticate with their email and password, retrieve their current profile, and end their session. Authentication state is maintained via a signed JWT stored in the auth_token HttpOnly cookie that is automatically attached to every subsequent request from the browser.

POST /api/auth/login

Validate credentials and issue a session cookie. 
POST /api/auth/login
Rate limit: 10 requests per 15 minutes per IP (loginLimiter).

Request Body

email
string
required
The user’s registered email address. Case-insensitive — normalized to lowercase server-side.
password
string
required
The account password.

Success Response — 200 OK

On success the server:
  1. Sets the auth_token HttpOnly cookie containing a signed JWT.
  2. Updates the user’s ultimaConexion timestamp.
  3. Returns the user session object in the response body.
{
  "user": {
    "id": "664f1a2b3c4d5e6f7a8b9c0d",
    "nombre": "Maria",
    "apellido": "Lopez",
    "email": "maria@example.com",
    "rol": "productor",
    "celular": "3001234567",
    "estado": "activo"
  },
  "role": "productor",
  "name": "Maria",
  "apellido": "Lopez",
  "id": "664f1a2b3c4d5e6f7a8b9c0d",
  "celular": "3001234567",
  "email": "maria@example.com"
}
user
object
Condensed session object.
role
string
Shorthand copy of user.rol.
name
string
Shorthand copy of user.nombre.
apellido
string
Shorthand copy of user.apellido.
id
string
Shorthand copy of user.id.
celular
string
Shorthand copy of user.celular.
email
string
Shorthand copy of user.email.

Error Responses

StatusCondition
400Missing email or password, invalid email format, or the account was created via Google (no local password).
401Email not found or password does not match (Credenciales invalidas).
403Account is pendiente (unverified), rechazado (rejected), or eliminado (deleted).
429Rate limit exceeded (10 attempts per 15 minutes).
500Unexpected server error.

Example

curl -X POST https://your-backend.up.railway.app/api/auth/login \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{
    "email": "maria@example.com",
    "password": "SecurePass1"
  }'

{
  "user": {
    "id": "664f1a2b3c4d5e6f7a8b9c0d",
    "nombre": "Maria",
    "apellido": "Lopez",
    "email": "maria@example.com",
    "rol": "productor",
    "celular": "3001234567",
    "estado": "activo"
  },
  "role": "productor",
  "name": "Maria",
  "apellido": "Lopez",
  "id": "664f1a2b3c4d5e6f7a8b9c0d",
  "celular": "3001234567",
  "email": "maria@example.com"
}

GET /api/auth/me

Return the full profile of the currently authenticated user. 
GET /api/auth/me
Authentication required. Pass the auth_token cookie (set automatically by the browser) or supply the token manually via the Authorization: Bearer <token> header.

Response — 200 OK

Sensitive fields are stripped before the document is returned. The following fields are excluded from the response: password, codigoVerificacion, codigoVerificacionExpira, codigoRecuperacion, codigoExpiracion.
_id
string
MongoDB ObjectId of the user.
nombre
string
First name.
apellido
string
Last name.
email
string
Email address.
rol
string
Account role: productor, comprador, or admin.
estado
string
Account state: activo, pendiente, suspendido, rechazado, or eliminado.
celular
string
Phone number, if provided.
googleId
string
Google account identifier, present only for OAuth-registered users.
ultimaConexion
string
ISO 8601 timestamp of the user’s most recent login.
createdAt
string
ISO 8601 timestamp of account creation (added by Mongoose timestamps).

Error Responses

StatusCondition
401No token provided, or the token is invalid/expired.
403Account state is rechazado, eliminado, or pendiente (non-comprador).
404Token is valid but no matching user was found in the database.

Example

curl https://your-backend.up.railway.app/api/auth/me \
  -H "Authorization: Bearer <your_jwt_token>"

{
  "_id": "664f1a2b3c4d5e6f7a8b9c0d",
  "nombre": "Maria",
  "apellido": "Lopez",
  "email": "maria@example.com",
  "rol": "productor",
  "estado": "activo",
  "celular": "3001234567",
  "googleId": null,
  "ultimaConexion": "2024-05-23T14:30:00.000Z",
  "createdAt": "2024-05-20T09:00:00.000Z"
}

POST /api/auth/logout

End the current session and clear all authentication cookies. 
POST /api/auth/logout
This endpoint destroys the server-side session (if any), then clears both the auth_token cookie and the connect.sid session cookie from the browser. The Cache-Control: no-store header is set to prevent the browser from caching the response. No request body is required.

Success Response — 200 OK

{
  "message": "Sesion cerrada exitosamente"
}

Example

curl -X POST https://your-backend.up.railway.app/api/auth/logout \
  -b cookies.txt \
  -c cookies.txt

{
  "message": "Sesion cerrada exitosamente"
}

Build docs developers (and LLMs) love

Get started for freeTalk to us