Skip to main content

What is Authentication?

StockAPI uses JWT (JSON Web Token) based authentication to secure API endpoints and ensure that only authorized users can access protected resources. Authentication is required for most operations involving products and orders.

Why Authentication is Needed

StockAPI is designed for exclusive use by sellers (vendedores) in a small market. Authentication ensures that:
  • Only authorized personnel can create, modify, or delete products
  • Order creation and management is restricted to authenticated users
  • Each action can be traced back to a specific user
  • Sensitive business data is protected from unauthorized access
The /products GET endpoint (listing all products) is the only public endpoint that doesn’t require authentication. All other product and order operations require a valid JWT token.

Authentication Flow

The authentication flow in StockAPI follows these steps:
1

User Creation

Users are created manually by administrators using the createUserScript.js utility. Passwords are securely hashed using bcryptjs before being stored in the database.
// Example from createUserScript.js
const hashedPassword = await bcrypt.hash(password, 10);
const newUser = new User({
    username,
    password: hashedPassword,
    role
});
2

Login Request

Users authenticate by sending their username and password to the /login endpoint.
curl -X POST https://api.stockapi.com/api/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "admin2",
    "password": "1234"
  }'
3

Token Generation

If credentials are valid, the API generates and returns a JWT token that expires in 4 hours.
{
  "message": "Login exitoso",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "username": "admin2",
    "role": "vendedor"
  }
}
4

Authenticated Requests

The client includes the token in the Authorization header for all subsequent requests to protected endpoints.
curl -X POST https://api.stockapi.com/api/products \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{"name": "Product Name", "price": 100}'
5

Token Verification

For each protected request, the verifyToken middleware validates the JWT token before allowing access to the resource.

Security Features

Password Hashing

All passwords are hashed using bcryptjs with a salt factor of 10 before storage

JWT Signing

Tokens are signed with a secret key stored in environment variables

Token Expiration

Tokens automatically expire after 4 hours to limit exposure

Role-Based Access

User roles determine what actions can be performed in the system

Protected Endpoints

The following endpoints require authentication:

Products

  • POST /products - Create a new product
  • GET /products/:id - Get a specific product
  • GET /search - Search for products
  • PUT /products/:id - Update a product
  • DELETE /products/:id - Delete a product

Orders

  • POST /orders - Create a new order
  • GET /orders - Get all orders
  • DELETE /orders/:id - Delete an order
The JWT secret (JWT_SECRET) must be kept secure and should never be committed to version control. It is stored as an environment variable.

Next Steps

JWT Tokens

Learn how to obtain and use JWT tokens

User Roles

Understand role-based access control