The authentication system in NuestraVoz — Campus Virtual is built on Supabase Auth and uses an HTTP-only session cookie (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Renzo717/Aula-Virtual-Universidad-Radiolocucion/llms.txt
Use this file to discover all available pages before exploring further.
nuestravoz_session) to persist login state. All public endpoints (/register, /login, /logout) require no credentials. Endpoints marked requireAuth validate the session cookie on every request and reject unauthenticated calls with 401 Unauthorized. Profile management is handled through the separate /api/perfil route, which shares the same auth middleware.
POST /api/auth/register
Registers a new user account.estudiante accounts are immediately set to activo; docente accounts are created with status: pendiente and must be approved by an administrator before they can log in.
Auth: Public — no cookie required.
Request body
First name. Minimum 2 characters.
Last name. Minimum 2 characters.
Valid email address. Used as the Supabase Auth login identifier.
Password. Minimum 6 characters.
Role for the new account. Must be
estudiante or docente.Response — 201 Created
Error responses
| Status | Meaning |
|---|---|
400 | Validation error — details field contains Zod flatten output. |
400 | Email already registered in Supabase Auth. |
Example
POST /api/auth/login
Authenticates the user with email and password. On success, writes an HTTP-only session cookie that subsequent authenticated requests must include. The cookie TTL is 30 days whenremember: true and 24 hours otherwise.
Auth: Public — no cookie required.
Request body
Registered email address.
Account password. Minimum 6 characters.
When
true, the session cookie TTL extends to 30 days instead of 24 hours.Response — 200 OK
Sets Set-Cookie: nuestravoz_session=<jwt>; HttpOnly; SameSite=Lax.
Error responses
| Status | Meaning |
|---|---|
400 | Validation error on request body. |
401 | Invalid email or password. |
403 | Account is inactivo, or a docente account with status: pendiente. |
Example
POST /api/auth/logout
Clears the session cookie, effectively ending the user’s session. This endpoint always returns200 regardless of whether a valid session was present.
Auth: Public — the cookie is cleared whether or not it was valid.
Response — 200 OK
Example
GET /api/auth/me
Returns the full profile of the currently authenticated user. Includes all profile fields stored in theprofiles table.
Auth: requireAuth — valid session cookie required.
Response — 200 OK
Error responses
| Status | Meaning |
|---|---|
401 | No valid session cookie. |
404 | Profile record not found for the authenticated user ID. |
Example
GET /api/perfil
Returns the complete profile record for the currently authenticated user. Identical in shape toGET /api/auth/me but sourced from the /api/perfil router and intended for profile-page use.
Auth: requireAuth — valid session cookie required.
Response — 200 OK
Returns the full
Profile record. See GET /api/auth/me for field descriptions.Example
PATCH /api/perfil
Updates one or more mutable profile fields for the authenticated user. All fields are optional; send only the fields you wish to change. Ifemail is included, the Supabase Auth identity is also updated.
Auth: requireAuth — valid session cookie required.
Request body
Updated first name. Minimum 2 characters.
Updated last name. Minimum 2 characters.
National ID number.
Phone / mobile number.
Updated email address. Must be a valid email format. Triggers a Supabase Auth email update as well.
Response — 200 OK
Returns the updated
Profile record. See GET /api/auth/me for field descriptions.Error responses
| Status | Meaning |
|---|---|
400 | Validation error on request body. |
400 | Database-level error (e.g., duplicate email). |
401 | No valid session cookie. |
Example
POST /api/perfil/avatar
Uploads a new avatar image for the authenticated user. The file is stored in theavatars Supabase Storage bucket and the resulting public URL is written to the avatar_url field of the profile. Accepts any common image format; maximum file size is 5 MB. The request must use multipart/form-data encoding.
Auth: requireAuth — valid session cookie required.
Request body
Send asmultipart/form-data.
The image file to upload. Maximum size: 5 MB.
Response — 200 OK
Returns the updated
Profile record with the new avatar_url populated.Error responses
| Status | Meaning |
|---|---|
400 | No file included in the request. |
400 | Supabase Storage upload error. |
401 | No valid session cookie. |
Example
POST /api/perfil/password
Changes the password for the authenticated user. The request must supply the current password (password) for schema validation context and the desired new password (newPassword). The actual update is applied via the Supabase Auth admin API.
Auth: requireAuth — valid session cookie required.
Request body
Current password. Minimum 6 characters.
New password. Minimum 6 characters.
Response — 200 OK
Error responses
| Status | Meaning |
|---|---|
400 | Validation error on request body. |
400 | Supabase Auth error (e.g., password too weak). |
401 | No valid session cookie. |