Endpoint reference for admin auth and customer mobile auth, including Google OAuth customer flow and edge-case behavior.

Auth - API & Integration Guide

1. Route Surfaces

Auth is split across two surfaces:

Admin / backoffice auth: /api/auth/*
Customer mobile auth: /api/mobile/auth/*

Google OAuth is customer-only and is exposed only on /api/mobile/auth/*.

2. Endpoint Reference

2.1 Admin auth (`/api/auth/*`)

Method	Path	Auth	Description
POST	`/api/auth/login/email`	Public	Admin email/password login
POST	`/api/auth/password/forgot`	Public	Request password reset
POST	`/api/auth/password/reset`	Public	Reset password via token or OTP
POST	`/api/auth/password/set`	JWT	Set or change password for authenticated user
POST	`/api/auth/email/verify/resend`	Public	Resend email verification
POST	`/api/auth/email/verify/confirm`	Public	Confirm email verification
POST	`/api/auth/refresh`	Public	Rotate refresh/access tokens
GET	`/api/auth/me`	JWT	Get current user profile (includes `hasPassword`)
GET	`/api/auth/permissions`	JWT	Get current user permissions
POST	`/api/auth/phone/verify/request`	JWT	Send phone verification OTP
POST	`/api/auth/phone/verify/confirm`	JWT	Confirm phone verification OTP
DELETE	`/api/auth/logout`	JWT	Logout current session

2.2 Customer mobile auth (`/api/mobile/auth/*`)

Method	Path	Auth	Description
POST	`/api/mobile/auth/register`	Public	Customer register (email/password)
POST	`/api/mobile/auth/login/email`	Public	Customer email/password login
GET	`/api/mobile/auth/google`	Public	Start Google OAuth redirect (`redirect_uri` required)
GET	`/api/mobile/auth/google/callback`	Public	Google callback; redirects to frontend with one-time `code`
POST	`/api/mobile/auth/google/exchange`	Public	Exchange one-time code for `user + tokens`
POST	`/api/mobile/auth/refresh`	Public	Rotate refresh/access tokens
POST	`/api/mobile/auth/password/forgot`	Public	Request password reset
POST	`/api/mobile/auth/password/reset`	Public	Reset password via token or OTP
POST	`/api/mobile/auth/password/set`	JWT	Set password for authenticated mobile user
POST	`/api/mobile/auth/email/verify/resend`	Public	Resend email verification
POST	`/api/mobile/auth/email/verify/confirm`	Public	Confirm email verification
GET	`/api/mobile/auth/me`	JWT	Get current user profile (includes `hasPassword`)
DELETE	`/api/mobile/auth/logout`	JWT	Logout current session

3. Key Contracts

POST /api/mobile/auth/login/email

{
  "email": "customer@example.com",
  "password": "StrongPass123",
  "deviceInfo": {
    "deviceId": "android-abc",
    "deviceType": "android",
    "deviceName": "Pixel",
    "fcmToken": "optional-fcm-token"
  }
}

3.2 Google one-time code exchange success shape (customer)

POST /api/mobile/auth/google/exchange

{
  "code": "e2f6d17ea01b5b824db6f7d8f936f1b5e97cef25afd8515b"
}

Response:

{
  "message": "Google login successful.",
  "data": {
    "user": {
      "id": "uuidv7",
      "name": "Tenzin Sherpa",
      "email": "tenzin@example.com",
      "image": "https://lh3.googleusercontent.com/...",
      "emailVerified": true,
      "phone": null,
      "phoneVerified": false,
      "role": "customer"
    },
    "tokens": {
      "sessionId": "uuidv7",
      "accessToken": "<jwt>",
      "refreshToken": "<opaque-token>"
    }
  }
}

4. Set Password

Authenticated endpoints for setting or changing a user's password. Google-only users use this to create an EMAIL account with a password. Existing EMAIL users use this to change their password.

4.1 POST `/api/auth/password/set`

4.2 POST `/api/mobile/auth/password/set`

Set or change password for an authenticated user.

Authentication: JWT Bearer token

Rate limit: 5 requests per 15 minutes

Request body:

{
  "newPassword": "NewPass@1234",
  "currentPassword": "CurrentPass@123"
}

currentPassword is required only if the user already has a password.

Response (200 OK):

{
  "message": "Password set successfully.",
  "data": null,
  "errorCode": null
}

Errors:

400 Bad Request — currentPassword missing when user already has password
401 Unauthorized — Invalid JWT or incorrect currentPassword
429 Too Many Requests — Rate limit exceeded

5. `hasPassword` Field

All profile responses from:

GET /api/auth/me
GET /api/mobile/auth/me

include hasPassword: boolean.

hasPassword: false means no EMAIL provider password exists yet.
hasPassword: true means EMAIL provider password is set.

Frontend integration:

hasPassword === false → show "Add Password"
hasPassword === true → show "Change Password"

6. Google OAuth Behavior Matrix (Actual Runtime)

Google auth is handled by AuthService.handleGoogleOAuth() and has the following behavior:

Scenario	Result
Google profile has no email	`400 BadRequest` (`Google account must have an email.`)
Email belongs to admin account	`401 Unauthorized` (`Google login is not available for admin accounts.`)
Existing customer with Google account link	Updates provider tokens and logs in
Existing customer without Google account link	Creates `account` provider link and logs in
Existing customer with `emailVerified=false`	Marks `emailVerified=true`, then logs in
No existing customer	Auto-creates customer + Google account link, then logs in

Important note for pending email-verification users

If a customer registered via email/password but did not verify email yet, successful Google login with the same email will mark the customer as verified and issue tokens.

7. Operational Notes

Required Google env keys:

GOOGLE_CLIENT_ID
GOOGLE_CLIENT_SECRET
GOOGLE_CALLBACK_URL
GOOGLE_OAUTH_REDIRECT_ALLOWLIST
GOOGLE_OAUTH_STATE_SECRET
GOOGLE_OAUTH_STATE_TTL_SECONDS (default 300)
GOOGLE_OAUTH_CODE_TTL_SECONDS (default 90)

Callback URL must match mobile auth callback route:

Example: if PORT=5002, use http://localhost:5002/api/mobile/auth/google/callback

Redirect allowlist must include exact frontend callback URLs, for example:

https://app.thangka.navneetverma.com/auth/callback

8. Guardrail Summary

Superadmin/admin login is email/password only.
Customer Google login/signup is mobile auth only.
There is no Google OAuth endpoint under /api/auth/google*.
Bearer tokens are never returned in browser redirect URLs.

Auth Module API & Integration Guide