Auth

The Express API uses JWT-based authentication with separate secrets and strategies for different user roles. Cookies are used to store tokens for web clients.

Auth Architecture

┌──────────────────────┐
│   Client sends       │
│   request + cookie   │
└──────────┬───────────┘
           │
           ▼
┌──────────────────────────────────────┐
│        Auth Middleware Chain         │
│                                      │
│  authMiddleware     → Requires JWT    │
│  adminMiddleware    → Requires admin  │
│  softAuthMiddleware → Optional auth   │
│  userAuthMiddleware → Requires user   │
└──────────────────────────────────────┘

JWT Tokens

Token	Secret Env Var	Payload	Used For
User/Supplier JWT	`JWT_SECRET`	`{ id, email, role }`	Travelers, Suppliers
Admin JWT	`JWT_SECRET_ADMIN`	`{ id, email, role }`	Admin panel

Token expiry: JWT_EXPIRY (default 7 days = 604800000ms)

Auth Endpoints

Method	Endpoint	Auth	Description
POST	`/auth/login`	Public	Login with email + password
POST	`/auth/register`	Public	Register new user
POST	`/auth/verify-email`	Public	Verify email with token
POST	`/auth/forget-password`	Public	Send password reset email
POST	`/auth/reset-password/:token`	Public	Reset password with token
POST	`/auth/logout`	Any	Clear auth cookie

POST /api/v1/auth/login
Body: { email: string, password: string }
Response: { token: string, user: { id, name, email, role } }

Sets auth_token cookie (httpOnly, secure in production).

Register

POST /api/v1/auth/register
Body: { name: string, email: string, password: string }
Response: { message: string, user: { id, name, email } }

Triggers verification email via Resend.

Admin Auth

Admins authenticate separately with the adminMiddleware:

POST /api/v1/admin/login
Body: { email: string, password: string }
Response: { token: string, admin: { id, username, role } }

Sets admin_token cookie.

Middleware Reference

Middleware	File	Behavior
`authMiddleware`	`middlewares/auth.middleware.ts`	Requires valid JWT; rejects with 401 if missing/expired
`adminMiddleware`	`middlewares/admin.middleware.ts`	Requires valid admin JWT; rejects with 401 if missing/expired
`softAuthMiddleware`	`middlewares/softAuth.middleware.ts`	Optional — attaches user to request if token present; continues if not
`userAuthMiddleware`	`middlewares/userAuth.middleware.ts`	Requires valid user JWT (not admin)

Password Security

Passwords are hashed with bcrypt (salt rounds: 10)
Email verification required before full access
Password reset flow uses time-limited JWT tokens sent via email
Verification tokens are generated at registration and sent via Resend

Auth ​

Auth Architecture ​

JWT Tokens ​

Auth Endpoints ​

Login ​

Register ​

Admin Auth ​

Middleware Reference ​

Password Security ​