[FEAT]: Authentication - Basic Authentication

Acceptance Criteria

User Registration [POST] `/api/auth/register`

Registration Endpoint

Given a request with valid user details (ie email, password), when the user registers, then the system should create a new user account with a 201 created status code.

Unique Email

Given a email that already exists, when the user tries to register, then the system should return a 400 bad request error status with an appropriate error message

Password Encryption

Given a user registration request, when the user registers, then the system should store the password in an encrypted form.

Request

POST /api/auth/register
{
  "firstName": String,
  "lastName": String,
  "email": String,
  "password": String,
  "confirmPassword": String
}

Successful Response

{
  "message": String,
  "user": {
    "id": String,
    "email": String,
  },
}

Error Response

{
  "message": String,
  "error": String,
  "statusCode": Int,
}

User Login [POST] `/api/login`

email and Password Validation

Given a request with valid email and password, when the user logs in, the system should authenticate the user and provide a token.
Given a request with invalid email or password, when the user logs in, then the system should return a 401 Unauthorized status.

Token Generation

Given valid login credentials, when the user logs in, the system should generate a JWT token.

Token Expiry

The generated token should have an expiry time configured - 1 hour.
Given an expired token, when the user tries to access a protected route, then the system should return a 401 Unauthorized status.

Request

POST /api/auth/login
{
  "email": String,
  "password": String,
}

Successful Response

{
  "accessToken": String,
  "expiresIn": Int,
}

Accessing Protected Routes

Authorization Header

Given a valid token in the Authorization header, when the user accesses a protected route, then the system should allow access and return the requested data.

{
  "Authorization": "Bearer eyJhbGciOiJIUzI1N...."
}

Given a request without an Authorization header or with an invalid token, when the user accesses a protected route, then the system should return 401 Unauthorized status.

Role-based access control ?? (TBD: not sure if this is needed for boiler-plates)

Error Handling

Invalid Credentials

When the user logs in, then the system should return a 401 Unauthorized status with an appropriate error message.

{
  "message": "Invalid credentials",
  "statusCode": 401
}

Testing

Unit Tests

The systems should have unit tests covering authentication logic, including successful and failed login attempts, token generation and validation

hngprojects / hng_boilerplate_nestjs

[FEAT]: Authentication - Basic Authentication #1

Acceptance Criteria

User Registration [POST] `/api/auth/register`

Request

Successful Response

Error Response

User Login [POST] `/api/login`

Request

Successful Response

Accessing Protected Routes

Error Handling

Testing

hngprojects / hng_boilerplate_nestjs

[FEAT]: Authentication - Basic Authentication #1

Acceptance Criteria

User Registration [POST] /api/auth/register

Request

Successful Response

Error Response

User Login [POST] /api/login

Request

Successful Response

Accessing Protected Routes

Error Handling

Testing

User Registration [POST] `/api/auth/register`

User Login [POST] `/api/login`