Authentication Module
The auth module handles user registration, login, JWT token management, email verification, and password reset flows.
Technology
- Strategy: JWT Bearer tokens via Passport.js
- Password Hashing: bcrypt
- Token Types: Access token, refresh token, email verification token
- Email: Nodemailer with Gmail OAuth2
Auth Flow
┌──────────┐ POST /auth/register ┌──────────┐
│ Client │ ──────────────────────────▶ │ Backend │
│ │ │ │
│ │ ◀──── 201 + Verification ── │ Creates │
│ │ Email Sent │ User + │
│ │ │ Token │
│ │ POST /auth/verify-email │ │
│ │ ──────────────────────────▶ │ Verifies │
│ │ ◀──── 200 OK ────────────── │ Email │
│ │ │ │
│ │ POST /auth/login │ │
│ │ ──────────────────────────▶ │ Issues │
│ │ ◀──── Access + Refresh ──── │ JWTs │
│ │ Tokens │ │
│ │ │ │
│ │ POST /auth/refresh │ │
│ │ ──────────────────────────▶ │ Rotates │
│ │ ◀──── New Access Token ──── │ Token │
└──────────┘ └──────────┘
Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
POST | /auth/register | Public | Register a new user |
POST | /auth/login | Public | Login and receive JWT tokens |
POST | /auth/refresh | Refresh Token | Get a new access token |
POST | /auth/verify-email | Public | Verify email with code/token |
POST | /auth/forgot-password | Public | Send password reset email |
POST | /auth/reset-password | Public | Reset password with token |
GET | /auth/me | Bearer Token | Get current user profile |
JWT Configuration
| Token | Secret Env Var | Expiration Env Var | Purpose |
|---|---|---|---|
| Access Token | JWT_SECRET | JWT_EXPIRATION_TIME | API request authentication |
| Refresh Token | JWT_REFRESH_SECRET | — | Access token renewal |
| Verification Token | JWT_VERIFICATION_SECRET | — | Email verification links |
Guards
The backend uses NestJS guards to protect routes:
JwtAuthGuard— Validates the Bearer token on protected endpoints- Applied globally or per-controller via
@UseGuards(JwtAuthGuard)
tip
Public endpoints use custom decorators to bypass the auth guard.