Skip to main content

Endpoint

method
string
required
POST
url
string
required
/auth/login

Request

Headers

Content-Type
string
required
application/json

Body Parameters

email
string
required
User’s email address (max 255 characters)Must be a valid email format
password
string
required
User’s password (1-128 characters)

Example Request

cURL
curl -X POST https://api.ceboelha.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "SecureP@ss123"
  }'
JavaScript
const response = await fetch('https://api.ceboelha.com/auth/login', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  credentials: 'include', // Important: include cookies
  body: JSON.stringify({
    email: 'user@example.com',
    password: 'SecureP@ss123'
  })
});

const data = await response.json();
Python
import requests

response = requests.post(
    'https://api.ceboelha.com/auth/login',
    json={
        'email': 'user@example.com',
        'password': 'SecureP@ss123'
    }
)

data = response.json()

Response

Success Response (200)

success
boolean
required
Always true for successful requests
data
object
required
data.user
object
required
data.user._id
string
User’s unique identifier (MongoDB ObjectId)
data.user.email
string
User’s email address
data.user.name
string
User’s full name
data.user.role
string
User’s role (e.g., “user”, “admin”)
data.user.status
string
Account status (“active”, “inactive”, “banned”)
data.user.preferences
object
User preferences (theme, notifications, language, etc.)
data.user.stats
object
User statistics (meals logged, symptoms tracked, streaks, etc.)
data.user.createdAt
string
ISO 8601 timestamp of account creation
data.user.updatedAt
string
ISO 8601 timestamp of last update
data.expiresIn
number
Seconds until access token expires (typically 900 = 15 minutes)
message
string
required
Success message: “Login realizado com sucesso!”

Response Cookies

The following HttpOnly cookies are automatically set:
  • accessToken: JWT access token (expires in 15 minutes)
  • refreshToken: JWT refresh token (expires in 7 days)

Example Success Response

{
  "success": true,
  "data": {
    "user": {
      "_id": "507f1f77bcf86cd799439011",
      "email": "user@example.com",
      "name": "João Silva",
      "role": "user",
      "status": "active",
      "preferences": {
        "theme": "light",
        "notifications": true,
        "soundEnabled": true,
        "language": "pt-BR",
        "fodmapPhase": "reintroduction"
      },
      "stats": {
        "daysUsingApp": 45,
        "totalMealsLogged": 234,
        "totalSymptomsLogged": 67,
        "currentStreak": 12,
        "longestStreak": 28,
        "achievementsUnlocked": 8,
        "foodsTested": 23,
        "triggersIdentified": 5,
        "lastActive": "2024-03-15T10:30:00.000Z"
      },
      "createdAt": "2024-01-30T08:15:00.000Z",
      "updatedAt": "2024-03-15T10:30:00.000Z"
    },
    "expiresIn": 900
  },
  "message": "Login realizado com sucesso!"
}

Error Responses

Invalid Credentials (401)

{
  "success": false,
  "error": "Unauthorized",
  "code": "UNAUTHORIZED",
  "message": "E-mail ou senha inválidos"
}

Invalid Credentials with Warning (401)

After 3 or more failed attempts, the response includes remaining attempts: 
{
  "success": false,
  "error": "Unauthorized",
  "code": "UNAUTHORIZED",
  "message": "E-mail ou senha inválidos. 2 tentativa(s) restante(s)."
}

Account Locked (429)

After 5 failed attempts, the account is locked for 15 minutes: 
{
  "success": false,
  "error": "Rate limit exceeded",
  "code": "RATE_LIMIT",
  "message": "Conta bloqueada temporariamente. Tente novamente em 15 minutos."
}

Account Banned (401)

{
  "success": false,
  "error": "Unauthorized",
  "code": "UNAUTHORIZED",
  "message": "Sua conta foi suspensa. Entre em contato com o suporte."
}

Account Inactive (401)

{
  "success": false,
  "error": "Unauthorized",
  "code": "UNAUTHORIZED",
  "message": "Sua conta está inativa. Entre em contato com o suporte."
}

Rate Limit Exceeded (429)

{
  "success": false,
  "error": "Rate limit exceeded",
  "code": "RATE_LIMIT",
  "message": "Muitas requisições. Tente novamente mais tarde."
}

Brute Force Protection

The login endpoint includes robust brute force protection:
  • Failed Attempt Tracking: All failed login attempts are logged by email
  • Account Lockout: After 5 failed attempts, the account is locked for 15 minutes
  • Warning System: After 3 failed attempts, users are warned about remaining attempts
  • IP Tracking: Failed attempts are tracked by IP address for security auditing
  • Generic Errors: Error messages don’t reveal whether the email exists (prevents email enumeration)

Notes

  • Rate Limit: 5 requests per 15 minutes per IP
  • Token Storage: Tokens are automatically stored in HttpOnly cookies
  • Device Tracking: The system tracks device and IP for security purposes
  • Activity Logging: Login events are logged for security auditing
  • Achievement Unlock: First login triggers the “first_login” achievement
  • Stats Update: The lastActive timestamp is updated on successful login

Build docs developers (and LLMs) love

Get started for freeTalk to us