Authentication¶
Stowaway uses NextAuth.js for authentication, providing secure session-based authentication.
Registration¶
Create a new user account.
Endpoint¶
Request Body¶
{
"name": "John Doe",
"email": "john@example.com",
"password": "securepassword123",
"confirmPassword": "securepassword123"
}
Response¶
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "John Doe",
"email": "john@example.com",
"role": "USER"
}
Validation Rules¶
| Field | Rules |
|---|---|
| name | Optional, max 100 characters |
| Required, valid email format | |
| password | Required, min 8 characters |
| confirmPassword | Must match password |
Login¶
Authentication is handled through NextAuth.js endpoints.
Endpoint¶
Request Body¶
Response¶
On success, a session cookie is set and user is redirected.
Session¶
Get current session information.
Endpoint¶
Response¶
{
"user": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "John Doe",
"email": "john@example.com",
"role": "USER"
},
"expires": "2024-02-15T12:00:00.000Z"
}
Logout¶
End the current session.
Endpoint¶
User Roles¶
USER¶
Standard users can:
- View, create, edit, delete their own items
- Manage their own categories and locations
- Export/import their own data
ADMIN¶
Administrators have all USER permissions plus:
- Access to all users' data
- User management (future feature)
First User
The first user to register automatically becomes an ADMIN.
Password Security¶
- Passwords are hashed using bcrypt with 12 rounds
- Passwords must be at least 8 characters
- No password is ever stored in plain text
Session Security¶
- Sessions use JWT tokens
- Tokens are encrypted with
AUTH_SECRET - Sessions expire after inactivity (configurable)
- CSRF protection is enabled by default