Skip to main content

GET /api/user

Retrieves the profile information for the currently authenticated user.

Authentication

This endpoint requires a valid session cookie. The user must be authenticated.

Request

No request body or query parameters required.
cURL
curl -X GET https://your-domain.com/api/user \
  -H "Cookie: session=your-session-token"
fetch
const response = await fetch('/api/user', {
  method: 'GET',
  credentials: 'include'
});

const user = await response.json();

Response

Returns the user object or null if the user is not authenticated.
id
number
required
The unique identifier for the user
name
string | null
The user’s display name
email
string
required
The user’s email address (unique)
passwordHash
string
required
The hashed password (should never be exposed to the client in production)
role
string
required
The user’s role in the system. Default value is “member”
createdAt
string
required
ISO 8601 timestamp of when the user account was created
updatedAt
string
required
ISO 8601 timestamp of when the user account was last updated
deletedAt
string | null
ISO 8601 timestamp of when the user account was soft-deleted, or null if active

Response Examples

{
  "id": 5,
  "name": "John Doe",
  "email": "[email protected]",
  "passwordHash": "$2a$10$...",
  "role": "member",
  "createdAt": "2024-01-15T10:30:00.000Z",
  "updatedAt": "2024-03-01T14:20:00.000Z",
  "deletedAt": null
}

Error Handling

The endpoint returns null in the following cases:
  • No session cookie is present
  • Session cookie is invalid or malformed
  • Session has expired
  • User ID from session does not exist in the database
  • User account has been soft-deleted
No explicit error responses are returned; authentication failures result in a null response.

Security Notes

The passwordHash field is included in the response based on the current implementation. In production applications, you should exclude sensitive fields like password hashes from API responses by selecting specific columns in your database queries.

Implementation Details

The endpoint:
  1. Reads the session cookie from the request
  2. Verifies the JWT token stored in the cookie
  3. Checks if the session has expired
  4. Queries the database for the user by ID
  5. Filters out soft-deleted users (where deletedAt is not null)
  6. Returns the user object or null
The authentication logic ensures that only active, non-deleted users with valid sessions can retrieve their profile data.

Build docs developers (and LLMs) love

Get started for freeTalk to us