ReservaFácil authenticates users with JSON Web Tokens (JWTs) signed using the HS256 algorithm via theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Nyverie/reservafacil/llms.txt
Use this file to discover all available pages before exploring further.
jose library. Rather than storing tokens in localStorage (which is vulnerable to XSS), the platform sets the JWT in an HTTP-only cookie so that the browser attaches it automatically on every request without any client-side JavaScript involvement. The Next.js middleware layer then verifies the token on every protected-route request before the page or API handler even runs.
Authentication Flow
Log In
The client sends a
POST request to /api/auth/login with email and password. The API looks up the user record in the database, checks that activo is true, and compares the submitted password against the stored bcrypt hash using bcryptjs.Token Issued and Set in Cookie
On success, the API calls
signToken() to produce a signed JWT containing the user’s id, email, nombre, and rol. The token is written into an HTTP-only cookie named token with a 7-day expiry. The JSON response also returns the public user object (without the password).Browser Sends Cookie Automatically
Every subsequent request the browser makes to the same origin (including page navigations and
fetch calls) automatically includes the token cookie in the Cookie header. No manual token management is needed in client code.Middleware Verifies the Token
For any request matching
/dashboard/:path*, /admin/:path*, or /superadmin/:path*, the Next.js middleware reads the token cookie, calls verifyToken(), and checks whether the decoded role is permitted on that route. Unauthenticated or unauthorised requests are redirected before the page renders.JWT Payload
Every token encodes the following claims, defined inlib/auth.ts:
Token Signing and Verification
Both functions live inlib/auth.ts and use the jose library with an HS256 signing secret read from the JWT_SECRET environment variable:
signToken— Creates and signs a new JWT from aJWTPayload. Sets the algorithm toHS256and the expiry to7d. Called by the login route handler immediately after validating credentials.verifyToken— Decodes and verifies an existing token string. Returns theJWTPayloadon success, ornullif the token is missing, malformed, or expired. Used by both the middleware andgetSession().getTokenFromCookie— Extracts the raw token string from aCookieheader string using a regex match on thetoken=segment. Useful in contexts where thecookies()Next.js helper is not available (e.g. custom middleware utilities or edge functions).
Session Helpers
lib/session.ts provides three server-side helpers that build on verifyToken:
Usage Examples
Retrieve the current user in a Server Component:Cookie Security Attributes
Thetoken cookie is set with the following attributes by /api/auth/login:
| Attribute | Value | Purpose |
|---|---|---|
httpOnly | true | Prevents JavaScript from reading the cookie. |
secure | true in production, false in dev | Ensures the cookie is only sent over HTTPS in production. |
sameSite | lax | Sent on same-site requests and top-level cross-site navigations (e.g. following a link), but not on cross-origin fetch. Provides CSRF protection. |
maxAge | 60 * 60 * 24 * 7 (604,800 seconds) | Cookie and token both expire after 7 days. |
path | / | Cookie is sent with every request to the domain. |
Because the
token cookie is httpOnly, no client-side JavaScript can read it — including document.cookie and any third-party scripts. This protects the token from XSS attacks. To check authentication state on the client side, call a lightweight API endpoint (e.g. GET /api/auth/me) that reads the server-side session and returns the public user object.Checking Auth in API Routes
The standard pattern for reading the session in a Next.js Route Handler is:requireAuth() or requireRole() instead of the manual null-check — they throw immediately, and you can catch the error to return a consistent 401/403 response.
Middleware Route Protection
The Next.js middleware (middleware.ts) intercepts every request to the protected route prefixes defined in config.matcher and enforces token validity and role checks before the request reaches any page or layout:
- No
tokencookie → redirect to/login. - Token present but invalid/expired → delete the
tokencookie, redirect to/login. - Token valid, but the user’s role is not in the allowed list for the route → redirect to the user’s own dashboard (
getDashboardPorRol). - Token valid and role is permitted → pass the request through to the page.