Overview
The Inmobiliaria API uses session-based authentication powered by Better Auth. Authentication is handled through HTTP-only session cookies that are automatically sent with each request.Authentication Methods
The API provides three middleware functions for different authentication requirements:requireAuth - Authenticated Users
Requires a valid user session. Used for endpoints that need any authenticated user.
Response on failure:
401 Unauthorized
requireAdmin - Admin Access
Requires a valid user session with admin role. Used for administrative endpoints.
Response on authentication failure:
401 Unauthorized- No valid session403 Forbidden- Valid session but not an admin
optionalAuth - Public Endpoints
Does not require authentication but will attach user data if a valid session exists. Used for public endpoints that have different behavior for authenticated users.
This middleware never fails - it simply continues with or without user data.
Session Cookies
Better Auth uses session cookies with the following characteristics:- Cookie prefix:
inmobiliaria(or configured prefix) - HTTP-only: Yes (cannot be accessed via JavaScript)
- Secure: Yes in production (HTTPS only)
- SameSite: Configured based on environment
- Credentials required: Must include credentials in requests
Making Authenticated Requests
Using cURL
Include the session cookie in your request:Using JavaScript Fetch
Ensure credentials are included:Using Axios
Configure axios to send credentials:Getting Session Information
Retrieve the current session and user information:User Object Structure
When authenticated, the user object attached to requests contains:Unique user identifier
User’s email address
User’s display name
User role: either
"user" or "admin"Authentication Flow
The authentication middleware follows this process:- Extract session from request headers (includes cookies)
- Validate session using Better Auth
- Fetch user data from database including role information
- Attach user object to request for use in route handlers
- Check authorization (for
requireAdminonly)
src/middleware/auth.ts:20-74:
Better Auth Endpoints
Authentication is handled by Better Auth at:/api/auth/signin- Sign in/api/auth/signup- Sign up/api/auth/signout- Sign out/api/auth/callback/*- OAuth callbacks
CORS Requirements
For authentication to work correctly:- Frontend URL must be configured via
FRONTEND_URLenvironment variable - Credentials must be included in all requests (
credentials: truein CORS) - Requests must use HTTPS in production for secure cookies
Common Authentication Errors
| Status Code | Message | Cause |
|---|---|---|
| 401 | Authentication required | No valid session found |
| 401 | Invalid session | Session validation failed |
| 403 | Admin access required | User is not an admin |
| 403 | Access denied | Authorization check failed |
| 404 | User not found | Session valid but user doesn’t exist in database |
Security Considerations
- Session cookies are HTTP-only and cannot be accessed via JavaScript
- The API uses
trust proxysetting for proper IP detection behind proxies - Sessions expire based on Better Auth configuration
- Admin endpoints have dual checks: authentication + authorization
- Passwords and sensitive data are never exposed in API responses