UniSierra Eats Authentication: Login and Registration

UniSierra Eats does not use JWTs or server-side cookies. Instead, the server returns a plain user object on successful login, and the frontend stores it as JSON in the browser’s localStorage under the key unisierra_sesion. Every page checks this key on load to decide what UI to show — authenticated nav, profile links, admin controls, or the public login/register buttons.

Session Object Structure

After a successful login the object stored in localStorage has the following shape:

{
  "id": 1,
  "nombre": "Ana López",
  "correo": "ana.lopez@unisierra.edu.mx",
  "rol_id": 2
}

Field	Type	Description
`id`	Integer	Primary key of the user in the `Usuarios` table
`nombre`	String	Full display name
`correo`	String	Institutional email address
`rol_id`	Integer	`1` = Administrador, `2` = Estudiante

Registration

Registration fails immediately if the email address does not end in @unisierra.edu.mx. The server returns HTTP 400 with { "error": "Solo se permite el registro con correos institucionales (@unisierra.edu.mx)." }.

Endpoint: POST /api/registro Request body:

{
  "nombre": "Ana López",
  "correo": "ana.lopez@unisierra.edu.mx",
  "password": "mypassword123"
}

Success response (200 OK):

{
  "mensaje": "Usuario registrado con éxito",
  "id": 7
}

The email must be unique. If it already exists, the server returns HTTP 400 with { "error": "Error al registrar: Es posible que el correo ya esté en uso." }. Example fetch call (from app.js):

const res = await fetch('/api/registro', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
        nombre: 'Ana López',
        correo: 'ana.lopez@unisierra.edu.mx',
        password: 'mypassword123'
    })
});
const data = await res.json();

if (res.ok) {
    alert("¡Registro exitoso! Ahora puedes iniciar sesión.");
} else {
    alert(data.error || "Error al registrar");
}

Endpoint: POST /api/login Request body:

{
  "correo": "ana.lopez@unisierra.edu.mx",
  "password": "mypassword123"
}

Success response (200 OK):

{
  "mensaje": "Inicio de sesión exitoso",
  "usuario": {
    "id": 7,
    "nombre": "Ana López",
    "correo": "ana.lopez@unisierra.edu.mx",
    "rol_id": 2
  }
}

Error response (401 Unauthorized):

{
  "error": "Correo o contraseña incorrectos"
}

Student Login
Admin Login

Students have rol_id === 2. After login the session is saved and the page reloads to reveal the authenticated nav bar.

const res = await fetch('/api/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
        correo: 'ana.lopez@unisierra.edu.mx',
        password: 'mypassword123'
    })
});
const data = await res.json();

if (res.ok) {
    // Persist session to localStorage
    localStorage.setItem('unisierra_sesion', JSON.stringify(data.usuario));

    // Students stay on the public site
    window.location.reload();
} else {
    alert(data.error || "Error al iniciar sesión");
}

Administrators have rol_id === 1. After login they are redirected to the admin control panel.

const res = await fetch('/api/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
        correo: 'admin@unisierra.edu.mx',
        password: 'adminpassword'
    })
});
const data = await res.json();

if (res.ok) {
    // Persist session to localStorage
    localStorage.setItem('unisierra_sesion', JSON.stringify(data.usuario));

    // Admins are redirected to the control panel
    if (data.usuario.rol_id === 1) {
        window.location.href = '../admin/panel_admin.html';
    }
} else {
    alert(data.error || "Error al iniciar sesión");
}

Role-Based Redirect

Once data.usuario is received, app.js inspects rol_id to decide where to send the user:

`rol_id`	Role	Redirect destination
`1`	Administrador	`admin/panel_admin.html`
`2`	Estudiante	Current page reload (stays on public site)

if (data.usuario.rol_id === 1) {
    window.location.href = '../admin/panel_admin.html';
} else {
    window.location.reload();
}

Logout

Logout is entirely client-side: the session key is removed from localStorage and the user is sent back to the landing page.

localStorage.removeItem('unisierra_sesion');
window.location.href = 'index.html';

This is wired to the Salir button rendered in the nav bar whenever a session is detected.

Admin Registration

A separate endpoint registers a user with rol_id = 1 (Administrador). It accepts the same fields as the student registration endpoint. Endpoint: POST /api/admin/registro Request body:

{
  "nombre": "Carlos Admin",
  "correo": "carlos.admin@unisierra.edu.mx",
  "password": "securepassword"
}

Success response (200 OK):

{
  "message": "Nuevo administrador registrado con éxito."
}

The admin registration response uses the key message (English), while most other endpoints use mensaje (Spanish). This is an intentional difference in the source code.

The same @unisierra.edu.mx domain restriction applies. If the email already exists the server returns HTTP 400.

Passwords are stored in plaintext in the SQLite database. UniSierra Eats is a demo application and is not intended for production use with real credentials. Do not reuse passwords from other services.

Getting Started

Core Features

Admin Panel

Database

UniSierra Eats Authentication: Login and Registration

Session Object Structure

Registration

Role-Based Redirect

Logout

Admin Registration

Build docs developers (and LLMs) love

Getting Started

Core Features

Admin Panel

Database

Documentation Index

​Session Object Structure

​Registration

​Login

​Login Examples

​Role-Based Redirect

​Logout

​Admin Registration

Build docs developers (and LLMs) love

Session Object Structure

Registration

Login

Login Examples

Role-Based Redirect

Logout

Admin Registration