Skip to main content
Tambo360 implements a comprehensive authentication system built on JWT (JSON Web Tokens) to secure access to your dairy farm production data.

Overview

The authentication system provides:
  • User registration with email verification
  • Secure login with JWT token management
  • Password recovery and reset functionality
  • HTTP-only cookie-based session management
  • Production-ready security configurations

User Registration

1

Create Account

Users register with their name, email, and password. The system validates all inputs against security requirements.
// Password requirements
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character (@$!%*?&)
- Maximum 50 characters
2

Email Verification

After registration, a verification email is sent to the user. The account remains unverified until the email link is clicked.
// Verification token flow (authController.ts:82-124)
POST /api/auth/verify-email
{
  "token": "verification-token-from-email"
}
Users can request a new verification email if needed:
POST /api/auth/resend-verification
{
  "correo": "[email protected]"
}
3

Account Activation

Once verified, users can log in and access the platform. The JWT token includes verification status.

Login Process

Standard Login

Users authenticate with email and password: 
// Login endpoint (authController.ts:41-79)
POST /api/auth/login
{
  "correo": "[email protected]",
  "contraseña": "SecurePass123!"
}

// Response includes JWT token
{
  "success": true,
  "data": {
    "user": {
      "nombre": "Juan Pérez",
      "correo": "[email protected]",
      "idUsuario": "uuid",
      "verificado": true,
      "establecimientos": [...]
    },
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

JWT Token Structure

The JWT token contains: 
{
  user: {
    nombre: string,
    correo: string,
    idUsuario: string,
    verificado: boolean,
    fechaCreacion: Date,
    establecimientos: Establecimiento[]
  }
}
Tokens expire after 24 hours (1d). Users must re-authenticate after expiration.
Tokens are stored in HTTP-only cookies for enhanced security: 
// Cookie configuration (authController.ts:67-72)
res.cookie("token", token, {
  httpOnly: true,              // Prevents XSS attacks
  secure: isProduction,        // HTTPS only in production
  sameSite: isProduction ? "none" : "lax",
  maxAge: 24 * 60 * 60 * 1000  // 24 hours
});
  • secure: false (allows HTTP)
  • sameSite: lax

Password Recovery

1

Request Reset

Users can request a password reset by providing their email:
// Forgot password endpoint (authController.ts:147-163)
POST /api/auth/forgot-password
{
  "correo": "[email protected]"
}
An email with a reset link and token is sent to the user.
2

Verify Reset Token

The reset token is validated before allowing password change:
POST /api/auth/verify-reset-token
{
  "token": "reset-token-from-email"
}
3

Reset Password

Users set a new password that meets security requirements:
// Reset password endpoint (authController.ts:189-216)
POST /api/auth/reset-password
{
  "token": "reset-token-from-email",
  "nuevaContraseña": "NewSecurePass123!"
}
Reset tokens expire after a set period and can only be used once.

Session Management

Get Current User

Retrieve authenticated user information: 
// Get me endpoint (authController.ts:219-238)
GET /api/auth/me

// Returns current user data
{
  "success": true,
  "data": {
    "idUsuario": "uuid",
    "nombre": "Juan Pérez",
    "correo": "[email protected]",
    "verificado": true,
    "establecimientos": [...]
  }
}

Logout

Securely terminate user session: 
// Logout endpoint (authController.ts:241-261)
POST /api/auth/logout

// Clears authentication cookie
{
  "statusCode": 200,
  "message": "Sesión cerrada correctamente",
  "success": true
}

Frontend Integration

The frontend implements the authentication flow in the Login component: 
// Login.tsx workflow

1. User enters credentials (email + password)
2. Form validation with Zod schema
3. Submit to /api/auth/login
4. Store JWT token in context
5. Set HTTP-only cookie
6. Navigate to /dashboard

// Error handling
- Form validation errors shown inline
- API errors displayed in toast notifications
- Password visibility toggle for UX

// Register.tsx workflow

Step 1: Registration Form
- Collect: nombre, correo, contraseña
- Validate against schema
- Submit to /api/auth/register

Step 2: Email Verification
- Show "Check your email" message
- Display countdown timer (3 minutes)
- Allow resend verification email
- Background transitions for visual feedback

Security Best Practices

Password Security

  • Passwords hashed with bcrypt
  • Complex password requirements enforced
  • Maximum length limits prevent DoS attacks

Token Security

  • JWT signed with secret key
  • HTTP-only cookies prevent XSS
  • 24-hour expiration limits exposure

API Security

  • All endpoints validate input
  • Error messages don’t leak sensitive info
  • Rate limiting recommended for production

HTTPS Enforcement

  • Secure cookies in production
  • Environment-based configuration
  • SameSite policies for CSRF protection

Common Issues

If users try to log in without verifying their email, they can still authenticate, but the verificado flag will be false. Implement UI checks to prompt verification.
After 24 hours, the JWT expires. Users must log in again. Implement token refresh logic or session extension if needed.
Ensure email service is configured correctly. Check email provider settings and verify the reset token hasn’t expired.

API Reference

EndpointMethodPurpose
/api/auth/registerPOSTCreate new user account
/api/auth/loginPOSTAuthenticate user and issue token
/api/auth/verify-emailPOSTVerify email with token
/api/auth/resend-verificationPOSTResend verification email
/api/auth/forgot-passwordPOSTRequest password reset
/api/auth/verify-reset-tokenPOSTValidate reset token
/api/auth/reset-passwordPOSTSet new password
/api/auth/meGETGet current user info
/api/auth/logoutPOSTEnd user session

Build docs developers (and LLMs) love

Get started for freeTalk to us