Credith authenticates users with JWT tokens stored in HTTP cookies — noDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/RoyGeova07/Credith/llms.txt
Use this file to discover all available pages before exploring further.
Authorization: Bearer header is needed. When you log in, the server calls generateToken() and writes the signed JWT directly into a token cookie on the response. From that point on, your HTTP client automatically includes the cookie on every subsequent request to the same origin. The server-side authMiddleware reads req.cookies.token, verifies it with verifyToken(), and attaches the decoded payload to req.user for the duration of that request lifecycle.
Obtaining a Token
To receive a JWT cookie you must log in with an existing account viaPOST /api/users/login. Registering a new user (POST /api/users) creates the account but does not set any cookie — you must call the login endpoint afterwards.
Register — POST /api/users
Creates a new user record and returns a 201 response. No cookie is set. The server validates all required fields, hashes the password with bcrypt, persists the user, and assigns the requested role (defaults to Employee).
User’s first given name. Cannot be blank.
User’s second given name. Cannot be blank.
User’s first family name. Cannot be blank.
User’s second family name. Cannot be blank.
Unique email address. Returns
400 if already registered.Plain-text password. Must be at least 6 characters long. Stored as a bcrypt hash.
UUID of the store this user belongs to. Must reference an existing
stores record.UUID of the checkout machine assigned to this user. Must reference an existing
checkout_machines record.Optional role name. Accepted values:
Admin, Employee. Defaults to Employee if omitted or invalid.201 Created):
Login — POST /api/users/login
Authenticates an existing user by email and password. On success, the server generates a JWT with generateToken(), sets two cookies (token and session), and returns 200.
Registered email address of the user.
Plain-text password. Verified against the stored bcrypt hash.
200 OK):
| Cookie | httpOnly | Description |
|---|---|---|
token | true | Signed JWT. Not readable from JavaScript. Sent automatically by the browser on every request. |
session | false | JSON string with userId, first_name, role, storeId, storeAddress, checkoutMachine, etc. Readable by the frontend via document.cookie. |
Using the Token
Once you have logged in and captured the cookies (with-c cookies.txt), pass --cookie cookies.txt on every subsequent request that requires authentication:
fetch or XMLHttpRequest call — no manual header wiring is needed (provided credentials: 'include' is set on fetch, or withCredentials: true on Axios).
How authMiddleware Works
The middleware, defined in middlewares/authMiddleware.js, runs the following logic on every protected route:
req.user payload contains:
Token Lifetime
Tokens are signed withprocess.env.JWT_SECRET and expire after COOKIE_LIFETIME_HOURS hours (default: 2 hours). The cookie’s maxAge is set to the same duration so both the cookie and the token expire together.
Protected Routes
| Method | Path | Description |
|---|---|---|
PUT | /api/users/desactivate/:id | Soft-deactivates a user (sets isActive = false). Requires a valid token cookie. |
PUT | /api/users/activate/:id | Re-activates a previously deactivated user (sets isActive = true). Requires a valid token cookie. |
PUT | /api/users/update-password | Updates the authenticated user’s own password. Requires a valid token cookie. |
Updating Your Password
ThePUT /api/users/update-password endpoint updates the password of the currently authenticated user. The user’s id is taken directly from req.user.id (the decoded JWT payload), so no :id path parameter is needed.
The user’s existing plain-text password. Verified against the stored bcrypt hash before the update is applied. Returns
400 if incorrect.The desired new password. Must be at least 6 characters long.
200 OK):
Session Cookie
In addition to the HttpOnlytoken cookie, the server sets a session cookie containing a JSON-encoded object with display-safe user data. Unlike token, this cookie is not HttpOnly, meaning the frontend JavaScript can read it directly (e.g. to show the logged-in user’s name in the UI):
The
session cookie is populated at login time and reflects the user’s role and store assignment at that moment. It is not updated automatically if those values change server-side before the session expires. Re-login to refresh it.Logging Out
Send aPOST to /api/users/logout to clear both the token and session cookies. No request body or auth cookie is required — the server unconditionally clears both cookies.
200 OK):