The Authentication module handles every aspect of identity management in PortalHub. It covers credential validation and session creation at login, safe session teardown at logout, lightweight session-health checks for the frontend, CSRF token retrieval, mandatory first-login password changes, and administrator-driven user provisioning. All endpoints live underDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Nieto2020/portalhub/llms.txt
Use this file to discover all available pages before exploring further.
backend/modules/auth/ and follow the standard JSON envelope documented in the API Overview.
POST /auth/login.php
Validates email and password credentials, starts a PHP session, and returns the authenticated user’s identity. No prior authentication is required. Method:POSTPath:
/backend/modules/auth/login.phpAuth required: No
Request Body
The registered email address of the user. Must be a valid RFC 5322 email format.
The user’s plaintext password. It is verified server-side with
password_verify() against the stored bcrypt hash.Responses
200 on success."Inicio de sesión exitoso" on success.200 — Success
400 — Missing Fields
401 — Invalid Credentials
403 — Inactive Account
Session State After Login
On a successful login the following keys are written to$_SESSION:
| Key | Value |
|---|---|
id_usuario | Authenticated user’s primary key. |
id_rol | User’s role constant value. |
require_password_change | 0 or 1 from the database. |
ultima_actividad | Unix timestamp of login time. |
csrf_token | 64-character hex token (bin2hex(random_bytes(32))). |
session_regenerate_id(true) is called immediately before setting session variables to prevent session-fixation attacks. On failed credential checks a deliberate sleep(1) delay is applied to mitigate brute-force timing attacks.POST /auth/logout.php
Destroys the active session and expires thePHPSESSID cookie. The endpoint does not call checkAuth(), so it can be called even when the session has already expired — a safe-logout pattern.
Method: POSTPath:
/backend/modules/auth/logout.phpAuth required: No (safe to call with an expired session)
Response
200 — Session Destroyed
After this call the server invokes
session_destroy() and overwrites the PHPSESSID cookie with an expiry in the past. The client’s cookie jar will no longer contain a valid session identifier.GET /auth/check_session.php
Performs a lightweight session-validity check without updating theultima_actividad timestamp. Use this endpoint for polling the session state from the frontend without inadvertently extending the inactivity timeout.
Method: GETPath:
/backend/modules/auth/check_session.phpAuth required: Yes
Response
200 when the session is active and has not exceeded the inactivity timeout."Sesión activa".No payload is returned. The
200 status itself confirms validity.200 — Session Active
401 — No Session / Expired
GET /auth/csrf_token.php
Returns the CSRF token currently stored in the session. If the session does not yet contain a token (unusual after login, but possible in edge cases) a new one is generated and stored before responding. Method:GETPath:
/backend/modules/auth/csrf_token.phpAuth required: Yes
Response
200 on success."OK".200 — Token Retrieved
401 — Not Authenticated
POST /auth/update_password.php
Updates the authenticated user’s password. This endpoint is the only mutating action available to users whoserequire_password_change flag is 1. It requires a CSRF token and enforces a minimum password length of 8 characters. On success the require_password_change flag is cleared in both the database and the active session, and a new CSRF token is issued.
Method: POSTPath:
/backend/modules/auth/update_password.phpAuth required: Yes (accessible even when
require_password_change = 1)
Request Body
The desired new password. Must be at least 8 characters long.
Must exactly match
new_password. The server compares these server-side before hashing.The CSRF token from
$_SESSION['csrf_token']. Compared using hash_equals() to prevent timing attacks.Responses
200 on success."Contraseña actualizada exitosamente".200 — Password Updated
400 — Passwords Do Not Match
400 — Password Too Short
403 — Missing CSRF Token
403 — Invalid CSRF Token
After a successful password update,
$_SESSION['require_password_change'] is set to 0 and $_SESSION['csrf_token'] is rotated. Clients should discard the old CSRF token and fetch a fresh one from csrf_token.php if further mutating requests are needed in the same session.POST /auth/register.php
Creates a new user account. Restricted exclusively to users with ROL_ADMIN (id_rol = 1). New accounts are always created with require_password_change = 1, forcing the new user to set their own password on first login. The password supplied here is hashed with bcrypt and stored, but serves only as a temporary credential.
Method: POSTPath:
/backend/modules/auth/register.phpAuth required: Yes — ROL_ADMIN only
Request Body
Email address for the new account. Must be a valid email format and must not already exist in the
usuarios table.Temporary password for the new account. Hashed with
PASSWORD_BCRYPT before storage. The user will be required to change it on first login.Role to assign:
1 (Admin), 2 (Asesor), or 3 (Cliente).Optional client identifier (e.g.
"CLI-001"). Stored in the numero_cliente column. Pass null or omit for non-client roles.Responses
201 on successful creation."Usuario registrado exitosamente".No additional payload is returned on registration.
201 — User Created
400 — Email Already Registered
400 — Invalid Email Format
403 — Insufficient Role