Credith authenticates every user with a signed JSON Web Token (JWT) issued by the Express backend. On a successful login the server sets two cookies — anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/RoyGeova07/Credith/llms.txt
Use this file to discover all available pages before exploring further.
httpOnly token cookie that the browser automatically sends on every subsequent request, and a readable session cookie that the React frontend parses to display the user’s name and role without making an extra API call. Passwords are hashed with bcrypt (10 salt rounds) before storage, and all token verification happens inside a dedicated middleware that short-circuits unauthorised requests before they reach any controller.
Registering a User
POST /api/users creates a new user record in the cd.users table. All name fields are required, the password must be at least six characters, and the email must be unique. You must also supply a valid storeId (UUID) and a valid checkoutMachineId (UUID) — users are always created pre-assigned to both a store and a checkout machine.
201 with the new user object (password excluded). The role field accepts "EMPLOYEE" or "ADMIN" — any other value defaults to "EMPLOYEE".
POST /api/users does not issue a cookie or log the user in — it only creates the account. To obtain a session the user must call POST /api/users/login separately.Logging In
POST /api/users/login validates credentials, generates a JWT, and sets both cookies in the response. The token payload contains { id, email, role, storeId } and expires after the number of hours configured in COOKIE_LIFETIME_HOURS (defaults to 2).
200 response sets two Set-Cookie headers:
| Cookie | httpOnly | Purpose |
|---|---|---|
token | true | JWT used by the server middleware for auth checks |
session | false | JSON blob read by the frontend for UI display |
session cookie contains:
How Cookies Are Read on the Frontend
The React app uses agetSession() helper that parses document.cookie to extract the session cookie without any additional network request:
fetch calls from the frontend include credentials: 'include' so the httpOnly token cookie is automatically attached:
The Auth Middleware
authMiddleware is applied to protected routes across the API. The middleware reads req.cookies.token, verifies the signature with verifyToken (which calls jwt.verify against process.env.JWT_SECRET), and attaches the decoded payload to req.user.
Protected Routes
The following user-management endpoints require a valid JWT cookie:| Method | Path | Description |
|---|---|---|
PUT | /api/users/desactivate/:id | Soft-deactivate a user (isActive = false) |
PUT | /api/users/activate/:id | Re-activate a user (isActive = true) |
PUT | /api/users/update-password | Update the authenticated user’s password |
Updating a Password
PUT /api/users/update-password reads the authenticated user’s id from req.user (set by the middleware) — you do not need to pass the user ID in the body. The new password must be at least six characters.
200 response confirms the update:
| Status | Message |
|---|---|
400 | "La nueva contraseña debe tener al menos 6 caracteres" |
400 | "La contraseña actual es incorrecta" |
401 | "Token requerido" / "Token invalido" |
404 | "Usuario no encontrado" |
Logging Out
POST /api/users/logout clears both cookies server-side:
Credith uses cookie-based auth rather than an
Authorization: Bearer header. The httpOnly flag on the token cookie means JavaScript on the client cannot read or tamper with it, which prevents XSS token theft. If you are testing with tools like Postman, enable the Cookie Jar feature (or use -c/-b with curl) so the token cookie is stored and replayed automatically.