Skip to main content

Authentication Overview

The MediGuide API uses a simple user ID-based authentication system. After successful login or signup, the client receives a userId which should be stored and included in subsequent requests that require user identification.

User Registration

Signup

Create a new user account. 
curl -X POST http://localhost:3001/api/users/signup \
  -H "Content-Type: application/json" \
  -d '{
    "username": "john_doe",
    "email": "[email protected]",
    "password": "securePassword123"
  }'
username
string
required
Unique username for the account
email
string
required
User’s email address (must be unique)
password
string
required
User’s password

Response (201)

{
  "message": "User registered successfully",
  "userId": 1,
  "username": "john_doe"
}
message
string
Success message
userId
integer
Unique identifier for the newly created user
username
string
Username of the registered user

Error Responses

400 Bad Request - User or email already exists: 
{
  "error": "Usuario ya está registrado"
}
or 
{
  "error": "Correo ya está registrado"
}
500 Internal Server Error: 
{
  "error": "Detailed error message"
}

User Login

Authenticate an existing user. 
curl -X POST http://localhost:3001/api/users/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "john_doe",
    "password": "securePassword123"
  }'
username
string
required
User’s username
password
string
required
User’s password

Response (200)

{
  "message": "Login successful",
  "userId": 1,
  "username": "john_doe"
}
message
string
Success message
userId
integer
User’s unique identifier (store this for authenticated requests)
username
string
Authenticated user’s username

Error Responses

401 Unauthorized - Invalid credentials: 
{
  "error": "Usuario o contraseña incorrectos"
}

Password Recovery

Request Reset Code

Request a password reset code to be sent to the user’s email. 
curl -X POST http://localhost:3001/api/users/forgot-password \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]"
  }'
email
string
required
Email address associated with the account

Response (200)

{
  "message": "Reset code sent to email",
  "resetCode": "123456"
}
message
string
Success message
resetCode
string
6-digit reset code (valid for 30 minutes)

Error Responses

404 Not Found - Email not found: 
{
  "error": "No se encontró cuenta con este correo"
}

Verify Reset Code

Verify the reset code before allowing password change. 
curl -X POST http://localhost:3001/api/users/verify-reset-code \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "resetCode": "123456"
  }'
email
string
required
Email address associated with the account
resetCode
string
required
6-digit reset code received from forgot-password endpoint

Response (200)

{
  "message": "Reset code verified",
  "userId": 1
}
message
string
Success message
userId
integer
User ID associated with the verified reset code

Error Responses

401 Unauthorized - Invalid or expired code: 
{
  "error": "Código de recuperación inválido"
}
or 
{
  "error": "El código de recuperación ha expirado"
}

Reset Password

Reset the user’s password using the verified reset code. 
curl -X POST http://localhost:3001/api/users/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "resetCode": "123456",
    "newPassword": "newSecurePassword456"
  }'
email
string
required
Email address associated with the account
resetCode
string
required
6-digit reset code received from forgot-password endpoint
newPassword
string
required
New password (minimum 6 characters)

Response (200)

{
  "message": "Contraseña actualizada exitosamente",
  "userId": 1,
  "username": "john_doe"
}
message
string
Success message
userId
integer
User’s unique identifier
username
string
User’s username

Error Responses

400 Bad Request - Invalid password: 
{
  "error": "La contraseña debe tener al menos 6 caracteres"
}
401 Unauthorized - Invalid or expired code: 
{
  "error": "Código de recuperación inválido"
}
or 
{
  "error": "El código de recuperación ha expirado"
}

Session Management

Client-Side Storage

After successful login or signup, the client should store the userId in localStorage for subsequent authenticated requests: 
// Store after login/signup
localStorage.setItem('userId', response.userId);
localStorage.setItem('username', response.username);

// Retrieve for authenticated requests
const userId = localStorage.getItem('userId');

Using User ID in Requests

Include the userId in request bodies or query parameters for endpoints that require user identification: 
# Example: Get latest medical record
curl "http://localhost:3001/api/medical-info/latest?userId=1"

# Example: Create medical record
curl -X POST http://localhost:3001/api/medical-info \
  -H "Content-Type: application/json" \
  -d '{
    "userId": 1,
    "glucose": 95,
    "heartRate": 72,
    ...
  }'

Security Considerations

The current implementation stores passwords in plain text and does not use token-based authentication. This is suitable for development/demonstration purposes only.

Production Recommendations

For production deployment, consider implementing:
  1. Password Hashing: Use bcrypt or similar to hash passwords before storage
  2. JWT Tokens: Implement token-based authentication instead of user ID in localStorage
  3. HTTPS: Always use HTTPS in production to encrypt data in transit
  4. Rate Limiting: Add rate limiting to prevent brute force attacks
  5. CORS Configuration: Configure CORS to allow only trusted origins
  6. Session Expiry: Implement session timeout and token refresh mechanisms
  7. Email Verification: Send actual emails for password reset instead of returning codes in response

Reset Code Security

  • Reset codes are 6-digit random numbers
  • Codes expire after 30 minutes
  • Codes are invalidated after successful password reset
  • Only one reset code is active per user at a time

Build docs developers (and LLMs) love

Get started for freeTalk to us