Overview Finanzapp supports two authentication methods: traditional email/password authentication and Google OAuth integration. All authenticated requests use PHP session-based authentication.
Authentication Methods
Email/Password Traditional authentication with email and password
Google OAuth Single sign-on using Google accounts
Email/Password Authentication Login Endpoint JavaScript (XHR)
JavaScript (Fetch)
const xhr = new XMLHttpRequest (); const formData = new FormData (); formData . append ( 'email' , '[email protected] ' ); formData . append ( 'password' , 'SecurePass123' ); formData . append ( 'g-recaptcha-response' , recaptchaToken ); xhr . open ( 'POST' , 'https://pro.finanzapp.es/app/auth/sendLogin.php' , true ); xhr . setRequestHeader ( 'X-Requested-With' , 'XMLHttpRequest' ); xhr . onreadystatechange = function () { if ( xhr . readyState === 4 && xhr . status === 200 ) { const data = JSON . parse ( xhr . responseText ); if ( data . success ) { console . log ( 'Login successful:' , data . user ); // Session is automatically created server-side } else { console . error ( 'Login failed:' , data . message ); } } }; xhr . send ( formData );
Request Parameters User’s email address (must be a valid email format)
User’s password (minimum 8 characters, at least one uppercase letter and one number)
reCAPTCHA token for bot protection (optional but recommended)
Response Indicates if the login was successful
Human-readable message about the operation
User information object (only included on success) Show user object properties
URL to user’s avatar image
Newsletter subscription status (0 or 1)
Example Response { "success" : true , "message" : "Login successful" , "user" : { "id" : 123 , "email" : "[email protected] " , "name" : "John Doe" , "url_image" : "https://carefully-happy-quetzal.global.ssl.fastly.net/assets/avatars/01.jpeg" , "accept_news" : 1 } }
Error - Invalid Credentials
{ "success" : false , "message" : "Email o contraseña incorrectas" }
{ "success" : false , "message" : "Access denied" }
Registration Endpoint const formData = new FormData (); formData . append ( 'nombre' , 'John Doe' ); formData . append ( 'email' , '[email protected] ' ); formData . append ( 'password' , 'SecurePass123' ); formData . append ( 'confirm-password' , 'SecurePass123' ); formData . append ( 'terms' , 'on' ); formData . append ( 'notifications' , 'on' ); // Optional const xhr = new XMLHttpRequest (); xhr . open ( 'POST' , 'https://pro.finanzapp.es/app/auth/sendRegister.php' , true ); xhr . setRequestHeader ( 'X-Requested-With' , 'XMLHttpRequest' ); xhr . onreadystatechange = function () { if ( xhr . readyState === 4 && xhr . status === 200 ) { const data = JSON . parse ( xhr . responseText ); console . log ( data ); } }; xhr . send ( formData );
Request Parameters User’s email address (must be unique and valid)
User’s password (minimum 8 characters, one uppercase, one number)
Password confirmation (must match password)
Terms and conditions acceptance (must be “on”)
Newsletter subscription preference (“on” or empty)
Response Indicates if the registration was successful
Human-readable message about the operation
Example Response { "success" : true , "message" : "Usuario registrado correctamente" }
Error - Email Already Exists
{ "success" : false , "message" : "El email ya está registrado" }
Google OAuth Authentication Login with Google Finanzapp integrates with Google Sign-In for seamless authentication.
Google Login Callback
HTML Integration
function handleCredentialResponse ( response ) { fetch ( 'https://pro.finanzapp.es/app/auth/google-callback-login.php' , { method: 'POST' , headers: { 'Content-Type' : 'application/json' }, body: JSON . stringify ({ credential: response . credential }) }) . then ( res => res . json ()) . then ( data => { if ( data . status === 'exists' ) { console . log ( 'User already exists, logged in' ); } else if ( data . status === 'inserted' ) { console . log ( 'New user created and logged in' ); } window . location . href = "/Finanzapp/index.php" ; }) . catch ( error => console . error ( 'Error:' , error )); }
Request Parameters Google JWT credential token received from Google Sign-In
Response Status of the operation: "exists" (existing user) or "inserted" (new user)
User information extracted from Google profile
Register with Google Similar to login, but uses a redirect mode:
< div id = "g_id_onload" data-client_id = "665269631824-25f2bkbj039grhjavj17pkqjsjdqj0jr.apps.googleusercontent.com" data-context = "signup" data-ux_mode = "redirect" data-login_uri = "https://pro.finanzapp.es/app/auth/google-callback.php" data-auto_prompt = "false" > </ div >
Session Management Once authenticated, Finanzapp creates a PHP session that persists across requests.
Session Data Structure The server stores the following information in $_SESSION['user']:
$_SESSION [ 'user' ] = [ 'id' => 123 , 'email' => '[email protected] ' , 'name' => 'John Doe' , 'url_image' => 'https://carefully-happy-quetzal.global.ssl.fastly.net/assets/avatars/01.jpeg' , 'accept_news' => 1 ];
Checking Authentication Status Protected pages verify authentication using:
if ( empty ( $_SESSION [ 'user' ][ 'id' ])) { // User not authenticated - redirect to login header ( 'Location: /app/login.php' ); exit ; }
Logout Logout Endpoint fetch ( 'https://pro.finanzapp.es/app/auth/logout.php' , { method: 'POST' , headers: { 'X-Requested-With' : 'XMLHttpRequest' } }) . then ( response => response . json ()) . then ( data => { if ( data . success ) { console . log ( 'Logged out successfully' ); window . location . href = '/app/login.php' ; } }) . catch ( error => console . error ( 'Error:' , error ));
Endpoint Details URL: POST /app/auth/logout.phpHeaders Required:
X-Requested-With: XMLHttpRequest
Response Indicates if logout was successful
Implementation The logout endpoint (source: /home/daytona/workspace/source/app/auth/logout.php:18-21):
session_unset (); session_destroy (); echo json_encode ([ 'success' => true , 'message' => 'Sesión cerrada correctamente' ]);
Example Response { "success" : true , "message" : "Sesión cerrada correctamente" }
{ "success" : false , "message" : "Método no permitido" }
Security Considerations Important Security Notes:
All authentication endpoints require the X-Requested-With: XMLHttpRequest header
Direct browser access to API endpoints will return a 403 Forbidden error
Passwords must meet complexity requirements (8+ chars, uppercase, number)
reCAPTCHA integration prevents automated attacks
Sessions are managed server-side with PHP’s built-in session handling
Password Requirements Passwords must meet the following criteria (validated client-side and server-side):
Minimum 8 characters
At least one uppercase letter
At least one number
No maximum length limit
function validatePassword ( password ) { const passwordRegex = / ^ (?= . * [ A-Z ] )(?= . * \d ) . {8,} $ / ; return passwordRegex . test ( password ); }
Error Handling All authentication endpoints return consistent error responses:
Error Message Cause Acceso prohibidoMissing or invalid X-Requested-With header Método no permitidoInvalid HTTP method (not POST) Email o contraseña incorrectasInvalid login credentials El email ya está registradoEmail already exists during registration No hay una sesión activaSession expired or user not logged in
Error messages are returned in Spanish by default. The frontend uses the translation system for internationalization.
Next Steps
API Endpoints Explore all available API endpoints
User Management Learn about user profile and account management
