JWT Authentication
Full authentication system with access tokens, refresh tokens, password hashing, and role-based access control.
Use case: Secure user registration and login for a Rotifex-backed application. Protect admin routes from regular users.
How It Works
POST /auth/registerhashes the password with bcrypt and inserts a user row.POST /auth/loginverifies credentials and issues a short-lived access token (1 hour) and long-lived refresh token (30 days).- The JWT middleware runs on every request, verifies the
Authorization: Bearerheader, and injectsx-user-id/x-user-roleheaders that downstream routes use for authorization. POST /auth/refreshissues a new token pair without requiring the password.
Roles
| Role | Access |
|---|---|
user | Public endpoints, own files, own data records |
admin | All endpoints including /admin/api/* |
Password Rules
- Minimum 8 characters
- At least one letter
- At least one number
Token Details
| Token | Algorithm | TTL | Secret Env Var |
|---|---|---|---|
| Access Token | HS256 | 1 hour | JWT_SECRET |
| Refresh Token | HS256 | 30 days | JWT_REFRESH_SECRET |
Secrets are auto-generated and saved to .env on first startup if not explicitly set.