// Auth & RBAC

Auth & RBAC

Session-based authentication with password flows, bcrypt hashing, an admin bootstrap script and optional role-based access control.

Enabling the auth module generates a complete authentication system mounted at /auth, along with the User model and the middleware to protect your routes.

Endpoints

POST/auth/register POST/auth/login POST/auth/logout POST/auth/forgot-password POST/auth/reset-password/:token POST/auth/change-password

How it works

Sessions — authentication is session-based using express-session with connect-mongo, so sessions persist in your MongoDB database.
Password hashing — passwords are hashed with bcrypt; plaintext is never stored.
Password flows — forgot / reset / change password are wired end to end. When the email service is enabled, reset links and confirmations are sent automatically using the bundled templates.

Bootstrap an admin

After your first install, create an initial admin user:

npm run create:admin

Role-based access control

If you enabled RBAC, role-and-permission middleware is generated so you can guard routes:

import { requireRole } from '@/middlewares/auth.middleware.js';
 
router.delete('/:id', requireRole('admin'), ctrl.remove);

Roles are defined in src/constants/roles.ts. The User model carries a role field that the middleware checks on protected routes.

note

RBAC is only available when the auth module is enabled — it builds on the same User model and session middleware.

Auth & RBAC

Endpoints#

How it works#

Bootstrap an admin#

Role-based access control#

Endpoints

How it works

Bootstrap an admin

Role-based access control