LWS Job Portal uses JSON Web Tokens (JWT) for stateless authentication. Every account belongs to one of two roles —Documentation Index
Fetch the complete documentation index at: https://mintlify.com/iDevRanjan/lws-ra-b4-assignment-five/llms.txt
Use this file to discover all available pages before exploring further.
USER (job seekers) and COMPANY (employers) — and each role unlocks different API capabilities. After registering or logging in, you receive a signed 30-day token that must accompany every request to a protected endpoint via the Authorization: Bearer <token> header. The frontend stores this token in localStorage and attaches it automatically. Server-side, the protect middleware validates the token and populates req.user or req.company, while authorize(role) enforces role-level access control.
Tokens expire after 30 days. When a token expires, the client must call
POST /api/auth/login again to obtain a fresh one. No refresh token flow exists in the current implementation.How JWT Auth Works
Register or Log in
Call
POST /api/auth/register or POST /api/auth/login. Both endpoints return a token string and a data object with the account details.Store the token
Persist the token in
localStorage (or a secure cookie). The official frontend stores it under the key token.Attach to every protected request
Add the
Authorization header to every request that requires authentication:Roles
| Role | Description |
|---|---|
USER | Job seekers who search and apply for positions |
COMPANY | Employers who post jobs and manage applications |
Middleware Reference
protect — validates the Bearer token
protect — validates the Bearer token
Reads the
Authorization header, extracts the token, verifies it with JWT_SECRET, and populates either req.user (for USER tokens) or req.company (for COMPANY tokens). Also sets req.userRole.Failure responses:401 Not authorized, no token— header missing401 Not authorized, token failed— token invalid or expired401 Not authorized, user not found— token valid but user account deleted401 Not authorized, company not found— token valid but company account deleted
authorize(role) — enforces role-level access
authorize(role) — enforces role-level access
Endpoints
POST /api/auth/register
Register a new user or company account. On success the server creates the record, generates a signed JWT, and returns both immediately — no separate login step required. Auth: NoneRequest
Full name for a user, or company display name for a company account.
Must be a valid email address. Checked for uniqueness across both User and Company tables.
Plain-text password — hashed with bcrypt (salt rounds: 10) before storage.
Must be exactly
USER or COMPANY. Any other value returns 400 Invalid role.Any additional fields passed alongside the required four are spread directly onto the created record. Useful for providing optional profile data at registration time (e.g.
title, industry).Response
true on a successful registration.Signed JWT valid for 30 days. Include this in the
Authorization: Bearer header on all subsequent requests.Example
- Register as USER
- Register as COMPANY
POST /api/auth/login
Authenticate an existing user or company and receive a fresh JWT. Auth: NoneRequest
The registered email address.
Plain-text password. Compared against the bcrypt hash stored in the database.
Must be
USER or COMPANY. This tells the server which table to look up the account in.Response
true on successful authentication.Signed JWT valid for 30 days.
Example
Response
GET /api/auth/me
Return the full profile of the currently authenticated account. The response shape differs based on whether the token belongs to aUSER or a COMPANY — both password fields are excluded from the response.
Auth: Required — Bearer token (USER or COMPANY)
Request
No request body. Authentication is handled entirely by theAuthorization header.
Response
true when the profile is found.The full User or Company record from the database, with
password excluded. See the Users API or Companies API for the complete list of fields on each model.Example
Response (USER)
Error Reference
| Status | Message | Cause |
|---|---|---|
400 | Please add all required fields | Missing name, email, password, or role on register |
400 | User already exists | Email is already registered in User or Company table |
400 | Invalid role | role is not USER or COMPANY |
400 | Invalid credentials | Email not found or password mismatch on login |
401 | Not authorized, no token | Authorization header missing |
401 | Not authorized, token failed | Token is malformed, expired, or signed with wrong secret |
401 | Not authorized, user not found | Token valid but the USER account has been deleted |
401 | Not authorized, company not found | Token valid but the COMPANY account has been deleted |
403 | User role X is not authorized… | Token role does not match the route’s authorize() guard |