Set Up Authentication API Routes: AuthRoutes

[HaiyiCai]

• Description: Define the API routes for handling authentication actions, including login, registration, and logout. The routes should handle requests from the frontend to authenticate users, validate credentials, and issue tokens for session management. Additionally, include routes for handling the user’s session, such as logging out and token revocation.
• Tag: #66
• Owner: Haiyi
• Expected Outcome: A set of routes that facilitate login, registration, reset passsword, and logout operations for user authentication.

[HaiyiCai]

Create API routes for user authentication, including:

• [ ] POST /auth/register:

  • Create a new user account with email, password, and optional profile data.
  • Ensure email uniqueness and secure password hashing.
  • Create user in the database and generate a JWT to authenticate the user on subsequent requests.

• [ ] POST /auth/login:

  • Authenticate a user with email and password.
  • Rate limiting.
  • Error messages that avoid revealing whether email or password is incorrect.
  • Generate a token for successful login.
  • Return a response with the token for client-side storage (e.g., in cookies or localStorage).

• [ ] POST /request-password-reset:

  • The route accepts a POST request containing the user's email address or user ID (or both).
  • Verify the user: The system checks if the provided email or user ID exists in the database (via UserModel.js).
  • Error Handling.
  • If the user exists, the server will generate a unique reset token (a temporary token stored in the database or generated dynamically).
  • Save the reset token: This reset token is stored in the UserModel.js in the database with an expiration time.
  • The reset token can be sent back to the frontend for the user to enter in the next step of the process.
  • The system should ensure that each reset token is one-time use and expires after a set time (for security reasons).
  • Rate limiting.

• [ ] POST /auth/logout:

  • Invalidate the token to log the user out.
  • Maybe handle token revocation for security.

These routes will connect to AuthController.js to handle user authentication logic, including registration, login validation, password rest and logout functionality. They will enforce authentication and authorization through AuthMiddleware to ensure secure access to sensitive routes, particularly for actions like registration and login. Middleware will also be used to protect routes that require an authenticated user. Additionally, these routes will interact with the UserModel.js for managing user data and storing credentials securely.

Point Value: 4 Feature Size: Medium