Login

​

POST /api/auth/login

​

Authentication

​

Request Body

​

Response

​

Cookies Set

• accessToken - JWT access token (HTTP-only, secure in production, 7 days expiry)
• refreshToken - JWT refresh token (HTTP-only, secure in production, 7 days expiry)

​

Example Request

{
  "email": "[email protected]",
  "password": "SecurePass123"
}

​

Example Response

{
  "message": "Login successful",
  "user": {
    "id": "507f1f77bcf86cd799439011",
    "email": "[email protected]",
    "username": "johndoe",
    "role": "user",
    "wallet": "TRX7qS7n9qJCyXPZp3nYbH6KdQ3fPgDq8f"
  }
}

​

Error Responses

​

400 Bad Request

• Email and password are required - One or both credentials are missing

​

401 Unauthorized

• Invalid email or password - Credentials don’t match any user account
• User account is inactive - The user account has been deactivated

​

500 Internal Server Error

• Server error with error message details

​

Notes

• Password is verified using bcrypt comparison (see ~/workspace/source/src/models/User.js:80)
• The lastLogin field is updated with the current timestamp on successful login (see ~/workspace/source/src/api/auth/login.js:29)
• Cookies use sameSite: 'strict' for CSRF protection
• In production, cookies are set with the secure flag (HTTPS only)
• Both access and refresh tokens have a 7-day expiry
• Users must have isActive: true to login successfully