Skip to main content

POST /api/user/login

Authenticates a user with their email and password. Returns user information upon successful authentication.

Headers

Content-Type
string
required
Must be application/json

Request Body

email
string
required
User’s registered email address.
password
string
required
User’s password in plain text. Will be compared against the hashed password stored in the database.

Request Example

curl -X POST http://localhost:3000/api/user/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "securePassword123"
  }'

Response

message
string
Success message confirming user authentication.
user
object
User information object. Note: Password is excluded from the response for security.
user.document
string
User’s identification document number.
user.email
string
User’s email address.
user.name
string
User’s first name.
user.last_name
string
User’s last name.
user.cellphone
string
User’s mobile phone number.
user.user_type
string
Type of user account.
Example Response
{
  "message": "Usuario logueado correctamente",
  "user": {
    "document": "1234567890",
    "email": "[email protected]",
    "name": "John",
    "last_name": "Doe",
    "cellphone": "+57 300 123 4567",
    "user_type": "client"
  }
}
Returned when required fields are missing.
message
string
Error message describing the validation failure.
Missing Required Fields
{
  "message": "Email y contraseña son obligatorios"
}
Returned when authentication fails due to invalid credentials.
message
string
Error message describing the authentication failure.
User Not Found
{
  "message": "Usuario no encontrado con el email proporcionado"
}
Invalid Password
{
  "message": "Credenciales inválidas"
}
Returned when an unexpected server error occurs.
message
string
Error message.
error
object
Error details object.
Example Response
{
  "message": "Error al iniciar sesión",
  "error": {}
}

Authentication Flow

  1. User submits email and password
  2. System validates that both fields are provided
  3. System looks up user by email in the database
  4. If user exists, password is compared using bcrypt
  5. If password matches, user information is returned (excluding password)
  6. If authentication fails at any step, appropriate error is returned

Security Notes

  • Password is compared using bcrypt’s secure comparison
  • Password hash is never returned in the response
  • Invalid credentials return generic error message to prevent user enumeration
  • Both missing user and invalid password return 401 status

Implementation Reference

The login endpoint is implemented in:
  • Route: /home/daytona/workspace/source/src/routes/userRoutes.js:8
  • Controller: /home/daytona/workspace/source/src/controllers/userController.js:43

Build docs developers (and LLMs) love

Get started for freeTalk to us