Authentication

Introduction

JCC Express MVC authentication is cookie + JWT based, centered on Authentication (jcc-express-mvc/lib/Auth/index.ts) and middleware exports:

• auth (web/session-like protected routes)
• apiAuth (API bearer/cookie token protection)
• guest (guest-only routes)

Exported from jcc-express-mvc:

Login flow

Typical controller/login handler usage:

Auth.attempt(next):

• resolves user by email, phone, or username
• verifies password with verifyHash(...)
• on success issues:

- auth_token cookie (access token, ~1 hour) - refresh_token cookie (~7 days)

• on failure throws ValidationException (Invalid credentials) and forwards to next(error)

Auth middleware behavior

auth

• reads auth_token cookie
• verifies token type/payload
• loads user and attaches req.user
• sets res.locals.Auth = user
• if invalid/missing: clears auth cookies, stores redirect target in session, redirects to /login

apiAuth

• reads Authorization: Bearer <token> first, then auth_token cookie fallback
• returns 401 { message: "Not authorized" } on failure
• sets req.user and req.id on success

guest

• blocks authenticated users from guest routes
• generally redirects back/previous if token exists

Refresh and logout

Refresh

Auth.refreshToken(req, res, next) validates/rotates refresh token (jti store), reissues cookies, and rehydrates req.user.

On failure it clears cookies and returns 401.

Logout

• revokes refresh token jti if present
• clears auth_token and refresh_token
• redirects to /login

Auth helper methods

• Auth.check() -> whether access cookie is valid and usable
• Auth.user() -> current user from request
• Auth.id() -> current user id (id or _id)
• Auth.socialLogin(userId) -> issues auth cookies after OAuth/social flow

Route examples

Summary

• Authentication uses JWT cookies with rotating refresh tokens.
• Use Auth.attempt(next) for login, auth/apiAuth middleware for protection.
• Auth.logout() clears auth state and redirects to login.