Skip to main content

Authentication Overview

DriveX implements a credential-based authentication system using email and password. Passwords are securely hashed using BCrypt before storage.

Authentication Endpoints

Login Flow

The login endpoint validates user credentials and returns the user object on success: 
@PostMapping("/login")
public ResponseEntity<User> login(@RequestBody LoginRequest request) {
    return service.login(request.getEmail(), request.getPassword())
            .map(ResponseEntity::ok)  // 200 + User object
            .orElse(ResponseEntity.status(401).build()); // 401 without body
}
Request Format: 
{
  "email": "[email protected]",
  "password": "plaintext-password"
}
Response (Success - 200 OK): 
{
  "id": 1,
  "username": "johndoe",
  "email": "[email protected]",
  "firstname": "John",
  "lastname": "Doe",
  "phone_number": "+1234567890",
  "role": "USER",
  "is_active": true,
  "profileImage": "https://example.com/avatar.jpg"
}
Response (Failure - 401 Unauthorized): Empty response body with 401 status code.
The password_hash field is included in the User entity but should be excluded from API responses in production. Consider using DTOs (Data Transfer Objects) to control response structure.

Registration Flow

The registration endpoint creates new user accounts with duplicate email detection: 
@PostMapping("/register")
public ResponseEntity<?> register(@RequestBody User user) {
    if (service.findByEmail(user.getEmail()).isPresent()) {
        return ResponseEntity.status(409).body("Email ya registrado");
    }
    
    User saved = service.save(user);
    return ResponseEntity.ok(saved);
}
Request Format: 
{
  "username": "johndoe",
  "email": "[email protected]",
  "password_hash": "plaintext-password",
  "firstname": "John",
  "lastname": "Doe",
  "phone_number": "+1234567890",
  "role": "USER"
}
Despite the field name being password_hash, the client should send the plaintext password. The service layer is responsible for hashing it using BCrypt before storage.
Response (Success - 200 OK): Returns the complete user object with generated ID and timestamps. Response (Conflict - 409): 
"Email ya registrado"

Password Security

DriveX uses BCrypt for password hashing, configured through Spring Security: 
@Configuration
public class SecurityConfig {
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

BCrypt Features

BCrypt’s computational cost can be increased over time as hardware improves, making it resistant to brute-force attacks even as computing power increases.
Each password hash includes a random salt, ensuring that identical passwords produce different hashes. This protects against rainbow table attacks.
BCrypt is designed to be slow and computationally expensive, making it impractical to reverse the hash or perform rapid brute-force attempts.

User Roles

The system supports role-based access control through the role field in the User entity: 
private String role;
Common roles:
  • USER - Standard customer with rental capabilities
  • ADMIN - Administrative access for system management
Role enforcement must be implemented in the service layer or through Spring Security method-level security annotations.

User Status Management

Users have an is_active flag to control account status: 
private Boolean is_active;
This allows for:
  • Soft deletion of accounts
  • Temporary account suspension
  • Account activation workflows

Authentication State Management

Current Implementation Limitation:The current authentication flow does not implement session management or token-based authentication. Each request requires credential validation.Recommended Improvements:
  • Implement JWT (JSON Web Tokens) for stateless authentication
  • Add refresh token mechanism for extended sessions
  • Implement token expiration and renewal
  • Add logout functionality

Security Best Practices

1

Never Log Passwords

Ensure passwords are never logged in application logs, even during debugging.
2

Use HTTPS

Always transmit credentials over HTTPS to prevent interception.
3

Implement Rate Limiting

Add rate limiting to login endpoints to prevent brute-force attacks.
4

Add Account Lockout

Lock accounts after multiple failed login attempts.
5

Use DTOs

Never return password_hash or other sensitive fields in API responses.

User Entity Fields

Complete list of User entity fields:
FieldTypeDescription
idLongPrimary key, auto-generated
usernameStringUnique username
emailStringUser email (used for login)
password_hashStringBCrypt hashed password
firstnameStringUser’s first name
lastnameStringUser’s last name
phone_numberStringContact phone number
roleStringUser role (USER, ADMIN)
is_activeBooleanAccount active status
created_atTimestampAccount creation timestamp
updated_atTimestampLast update timestamp
profileImageStringURL to profile image

CORS Configuration

The AuthController enables cross-origin requests: 
@CrossOrigin(origins = "*")
In production, replace the wildcard * with specific allowed origins to improve security:
@CrossOrigin(origins = "https://yourdomain.com")

Build docs developers (and LLMs) love

Get started for freeTalk to us