Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Rubick65/calenderyBack/llms.txt
Use this file to discover all available pages before exploring further.
Overview
CalenderyBack relies on HTTP Basic authentication provided by Spring Security. There are no session cookies, no JWT tokens, and no OAuth flows — every request to a protected route must include anAuthorization header with the user’s email and password encoded in Base64.
Registration Flow
New accounts go through a two-step register → verify flow before they can authenticate.Step 1 — Register
POST /api/users/auth/register is public (no credentials needed).
Request body (UserDto):
| Field | Type | Required | Notes |
|---|---|---|---|
nombre | string | ✅ | Display name (@NotBlank) |
email | string | ✅ | Must pass @ValidEmail check |
keypass | string | ✅ | Plain-text password (hashed with BCrypt at rest) |
descripcion | string | — | Bio, max 200 characters |
200 OK — UserInfoResponseDto:
Step 2 — Confirm Email Token
200 OK (empty body). The enable flag on the user entity is set to true — the account is now active.
Login
POST /api/users/auth/login validates credentials and returns the user’s identity information. Pass the credentials as an HTTP Basic header.
200 OK — UserInfoResponseDto:
idUsuario value is important: several protected endpoints accept it as a query parameter and use @PreAuthorize to check that the authenticated principal matches.
Account Validation
UseGET /api/users/auth/validateUser to check whether an email address exists in the system and whether its account is enabled — useful for “forgot password” or pre-login checks.
200 OK — UserValidationDto:
| Field | Type | Description |
|---|---|---|
userInfo | object | idUsuario and roles for the matched account |
enable | boolean | true if the account has been email-verified |
Resend Verification Token
If the original verification email was lost or expired, a new token can be requested:204 No Content. A fresh verification email is dispatched to the address on file.
Public vs Protected Routes
The route protection rules are defined inSecurityConfig and applied globally:
| Path pattern | Access level | Notes |
|---|---|---|
POST /api/users/auth/register | Public | Creates a new, unverified account |
GET /api/users/registrationConfirm | Public | Activates account via email token |
GET /api/users/auth/resendRegistrationToken | Public | Re-sends the verification email |
GET /api/users/auth/validateUser | Public | Checks if an email/account exists |
POST /api/users/auth/login | Authenticated | HTTP Basic; any valid enabled account |
/api/users/app/** | ROLE_USER required | All user profile / settings endpoints |
/api/publication/app/** | ROLE_USER required | Publication feed endpoints |
/api/chat/** | ROLE_USER required | Chat room endpoints |
/ws-endpoint/** | ROLE_USER required | STOMP WebSocket connection |
OPTIONS /** | Public | CORS preflight pass-through |
| All other paths | Any authenticated user | Fallback rule |
Ownership Guards (@PreAuthorize)
Several endpoints carry an additional method-level @PreAuthorize annotation that ensures the authenticated user can only access their own resources:
| Endpoint | Guard parameter |
|---|---|
GET /api/users/app/getUserSettings | idUsuario |
PUT /api/users/app/updateUserSetting | idUsuario |
PUT /api/users/app/publicKey | userId |
GET /api/users/app/checkPublicKey | idUsuario |
GET /api/users/activeAccountConfirmation | idUsuario |
Public-Key Exchange (End-to-End Encryption)
CalenderyBack exposes three endpoints for managing per-user public keys, enabling clients to implement end-to-end encrypted messaging:Upload / update your public key
ROLE_USER and the userId must match the authenticated principal.
200 OK (empty body).
Retrieve another user’s public key
ROLE_USER. Any authenticated user may retrieve any other user’s public key (it is public by design).
200 OK:
Verify your own stored public key
ROLE_USER and ownership guard on idUsuario. Returns 200 OK if the supplied key matches the stored value, otherwise throws an application-level error.
Password Security
Passwords are stored using BCrypt (via Spring Security’sBCryptPasswordEncoder). Plain-text passwords are never persisted:
UserDetailsService implementation (MyUserDetailsService) loads users by email and delegates password comparison to the encoder automatically during Basic auth processing.
Making Authenticated Requests — Quick Reference
Next Steps
Quickstart
Step-by-step guide to running the server locally and making your first API call.
Introduction
Architecture overview, functional domains, and the Mediator pattern.