Auth

Base URL: /api/auth · Port 3001 in development.

Auth endpoints handle login/logout, JWT token lifecycle, password reset, and new-account activation. Most are public (no Bearer token required). The access token is a short-lived JWT (default 15 min); the refresh token is a long-lived UUID stored in the tokens table.

Token flow

1. POST /api/auth/login         → { user, access_token } + Set-Cookie: refresh_token
2. Every authenticated request  → Authorization: Bearer <access_token>
3. On 401 (token expired)       → POST /api/auth/refresh  → { access_token } (cookie rotated)
4. POST /api/auth/logout        → refresh token revoked, cookie cleared

POST /api/auth/login

Auth required: No

Request body

{
  "email": "admin@pakag.com",
  "password": "mypassword"
}

Response 200

{
  "user": {
    "id": 1,
    "name": "Admin User",
    "email": "admin@pakag.com",
    "role": "admin",
    "is_active": true
  },
  "access_token": "<jwt>"
}

Sets Set-Cookie: refresh_token=...; HttpOnly; SameSite=Strict; Path=/. Lifetime controlled by JWT_REFRESH_EXPIRES_DAYS.

Errors

Side effect: Inserts a refresh token row in tokens. Uses a dummy bcrypt comparison when user is not found to prevent timing attacks.

POST /api/auth/refresh

Auth required: No (cookie-based)

Rotates the refresh token. The old token is revoked; a new one is issued and set as a cookie. Returns a fresh access token in the body.

Request: No body. refresh_token cookie is read automatically.

Response 200

{ "access_token": "<new_jwt>" }

Sets a new Set-Cookie: refresh_token=....

Errors

Side effect: Revokes old token, inserts new token in tokens table.

POST /api/auth/logout

Auth required: Yes — admin or distributor (Bearer token)

Revokes the current refresh token and clears the cookie.

Request: No body.

Response 200

{ "message": "Saioa itxi da" }

Sets Set-Cookie: refresh_token=; Max-Age=0; HttpOnly; SameSite=Strict.

Errors

Side effect: Marks the refresh token as revoked in the tokens table.

GET /api/auth/me

Auth required: Yes — admin or distributor (Bearer token)

Returns the profile of the currently authenticated user.

Request: No body.

Response 200

{
  "id": 1,
  "name": "Admin User",
  "email": "admin@pakag.com",
  "role": "admin",
  "is_active": true,
  "created_at": "2024-01-01T00:00:00.000Z"
}

Errors

POST /api/auth/forgotPassword

Auth required: No

Sends a password-reset email if the address is registered. Always returns the same response to prevent email enumeration.

Request body

{ "email": "user@example.com" }

Response 200

{ "message": "If that email exists, a reset link has been sent" }

Errors

Side effect (if email exists): Revokes existing reset tokens for the user, inserts a new reset_pwd_token, sends a password-reset email. Token expiry controlled by RESET_EXPIRES_MINUTES.

PATCH /api/auth/changePwd

Auth required: No (token-based via request body)

Dual-mode endpoint. With only reset_pwd_token it validates the token (useful for showing an error page on invalid links). With both fields it sets the new password.

Request body

Mode 1 — token check only

{ "reset_pwd_token": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }

Response 200: { "valid": true }

Mode 2 — set new password

{
  "reset_pwd_token": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "new_password": "newSecurePassword123"
}

Response 200: { "message": "Password changed successfully" }

Errors

Side effect (password change): Hashes and saves the new password. Sets is_active = true. Revokes all reset tokens for the user.

POST /api/auth/activateAccount

Auth required: No (activation token required)

Activates a newly created user account. Called when the user follows the activation link from their email.

Request body

[!WARNING] Needs verification The exact request shape (body fields vs query params) was not confirmed from a route.ts file — the activateAccount folder has no route.ts. This endpoint is invoked internally by sendActivationEmailService; the public-facing handler may not exist yet or may share the changePwd flow via reset_pwd_token.

Errors