Authentication API

Authentication endpoints for staff members to login, verify tokens, and manage passwords.

Base URL: https://ycwadelaide.adenmgb.com

POST /api/auth/login

Authenticate a staff user and receive a JWT token.

Headers:

Content-Type: application/json

Request Body:

{
  "username": "admin",
  "password": "password123"
}

Success Response (200 OK):

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": 1,
    "username": "admin",
    "roles": ["admin", "editor"]
  }
}

Error Responses:

• 401 Unauthorized - Invalid credentials

{
  "error": "Invalid credentials"
}

• 500 Internal Server Error - Login failed

{
  "error": "Login failed"
}

Notes:

• Token expires after 7 days
• Store token securely (Keychain/Keystore)
• Include token in Authorization: Bearer <token> header for all authenticated requests

GET /api/auth/check

Verify if the current token is valid and get updated user information.

Headers:

Authorization: Bearer <token>

Success Response (200 OK):

{
  "authenticated": true,
  "user": {
    "id": 1,
    "username": "admin",
    "email": "admin@example.com",
    "displayName": "Admin User",
    "roles": ["admin", "editor"],
    "permissions": [
      "actions:read",
      "actions:write",
      "news:read",
      "news:write"
    ]
  }
}

Error Response (401 Unauthorized):

{
  "authenticated": false
}

Use Cases:

• Verify token validity on app startup
• Refresh user information
• Check user permissions before showing features
• Validate authentication before making requests

POST /api/auth/logout

Logout endpoint (stateless - token removal is client-side).

Headers:

Authorization: Bearer <token>
Content-Type: application/json

Success Response (200 OK):

{
  "success": true
}

Notes:

• This endpoint is optional - token removal can be done client-side
• Remove token from secure storage on logout
• Clear user data from memory

POST /api/auth/change-password

Change the current user's password.

Headers:

Authorization: Bearer <token>
Content-Type: application/json

Request Body:

{
  "currentPassword": "oldpassword123",
  "newPassword": "newpassword456"
}

Success Response (200 OK):

{
  "success": true
}

Error Responses:

• 400 Bad Request - Current password is incorrect

{
  "error": "Current password is incorrect"
}

• 401 Unauthorized - Invalid or missing token

{
  "error": "Unauthorized"
}

• 404 Not Found - User not found

{
  "error": "User not found"
}

• 500 Internal Server Error - Failed to change password

{
  "error": "Failed to change password"
}

Notes:

• Validate password strength client-side before submitting
• currentPassword is required to verify identity
• Password is hashed using SHA-256 before storage

JWT Token Details

Token Format

The JWT token consists of three parts: header.payload.signature

Token Structure

Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:

{
  "userId": 1,
  "username": "admin",
  "roles": ["admin", "editor"],
  "iat": 1234567890,
  "exp": 1235173890
}

Token Expiration

• Expiration Time: 7 days from issue time (iat)
• Expiration Check: Tokens are validated server-side
• Refresh: No refresh endpoint - user must login again when token expires

Token Usage

Include the token in the Authorization header for all authenticated requests:

Authorization: Bearer <token>

Example Usage

JavaScript/Fetch:

// Login
const response = await fetch('/api/auth/login', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ username: 'admin', password: 'password' })
})
const { token, user } = await response.json()

// Store token
localStorage.setItem('auth_token', token)

// Use token
const data = await fetch('/api/staff/news', {
  headers: { 'Authorization': `Bearer ${token}` }
})

Related Guides

• Profile API
• Backend Development - Authentication