The NuestraVoz API authenticates requests using an httpOnly session cookie (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Renzo717/Aula-Virtual-Universidad-Radiolocucion/llms.txt
Use this file to discover all available pages before exploring further.
nv_session) that holds a Supabase JWT access token. When a user logs in successfully the server issues this cookie; the browser then attaches it automatically to every subsequent same-origin request. For cross-origin clients (such as a front-end running on a different port) you must explicitly opt in to sending credentials with each request.
Endpoints
POST /api/auth/register
Creates a new user account. Registration is open to estudiante and docente roles only — admin and preceptor accounts must be created by an administrator throughPOST /api/users.
Docente accounts are set to
status: "pendiente" automatically upon registration. An administrator must activate the account before the teacher can log in. Student accounts are activated immediately (status: "activo").Given name of the user. Minimum 2 characters.
Family name of the user. Minimum 2 characters.
A valid email address. Must be unique across the platform.
Account password. Minimum 6 characters.
Role to assign. Accepted values:
"estudiante" or "docente".| Status | error value | Cause |
|---|---|---|
400 | "Datos inválidos" | Zod validation failed — check details |
400 | Supabase error message | Email already in use or Supabase auth error |
POST /api/auth/login
Authenticates a user with email and password. On success, the response sets thenv_session cookie and returns the user’s profile data. This cookie must be included in all subsequent requests to protected endpoints.
Request body
The user’s registered email address.
The user’s password. Minimum 6 characters.
When
true, the session cookie has a maxAge of 30 days. When false or omitted, the cookie expires after 1 day.Set-Cookie response header sets nv_session with the Supabase JWT access token.
The authenticated user’s profile.
| Property | Value |
|---|---|
| Name | nv_session (configurable via SESSION_COOKIE_NAME env var) |
httpOnly | true — not accessible from JavaScript |
secure | true in production, false in development |
sameSite | lax |
path | / |
maxAge | 30 days if remember: true; 1 day otherwise |
| Status | error value | Cause |
|---|---|---|
400 | "Datos inválidos" | Zod validation failed |
401 | "Credenciales inválidas" | Email or password is incorrect |
403 | "Cuenta inactiva o pendiente de aprobación" | Account status is "inactivo" |
403 | "Tu cuenta de docente está pendiente de aprobación" | Docente account awaiting admin activation |
GET /api/auth/me
Returns the full profile of the currently authenticated user. Requires a validnv_session cookie.
Success response — 200 OK
Extended profile, including optional contact information and the last login timestamp.
POST /api/auth/logout
Clears thenv_session cookie, ending the session. No request body is required.
Success response — 200 OK
Making Authenticated Requests
Every request to a protected route must include the session cookie. How you do this depends on your HTTP client:The cookie is sent automatically once
credentials: "include" (or withCredentials: true) is set — you never need to read or pass the token manually.Middleware Reference
All protected routes in the NuestraVoz API are guarded by one or both of the following middleware functions, defined inapps/api/src/middleware/auth.ts.
requireAuth
Verifies that the incoming request carries a valid nv_session cookie, validates the JWT against Supabase, and fetches the user’s profile from the profiles table. If the check passes, it attaches a user object to req for use by downstream handlers.
| Failure condition | HTTP status | error value |
|---|---|---|
| Cookie absent | 401 | "No autenticado" |
| JWT invalid or expired | 401 | "Sesión inválida" |
Profile not found or status === "inactivo" | 403 | "Cuenta inactiva" |
requireRole(...roles)
A factory that returns middleware enforcing that req.user.rol is one of the accepted roles. Must be used after requireAuth in the middleware chain.
| Failure condition | HTTP status | error value |
|---|---|---|
req.user missing (called without requireAuth) | 401 | "No autenticado" |
| User’s role not in the allowed list | 403 | "Sin permisos" |