Auth API
Overview
Section titled “Overview”Auth API menangani autentikasi, otorisasi, dan manajemen user. Berjalan di Axum (REST) dan Tonic (gRPC).
- REST: Port 3001 (dev) / 8080 (prod)
- gRPC: Port 50051 (internal only)
- Base URL (prod):
https://auth.waqfuel.com
Public Endpoints
Section titled “Public Endpoints”Register Volunteer
Section titled “Register Volunteer”POST /auth/register-volunteerContent-Type: application/json
{ "name": "Ahmad Volunteer", "email": "ahmad@example.com", "phone": "+628123456789", "password": "securepassword123"}Response 201 Created:
{ "message": "Registration successful. Please verify your email.", "user_id": "550e8400-e29b-41d4-a716-446655440000"}Verify Email Code
Section titled “Verify Email Code”POST /auth/verify-email-codeContent-Type: application/json
{ "email": "ahmad@example.com", "code": "123456"}POST /auth/loginContent-Type: application/json
{ "email": "ahmad@example.com", "password": "securepassword123"}Response 200 OK:
{ "access_token": "eyJhbGciOiJSUzI1NiIs...", "token_type": "Bearer", "expires_in": 900}Refresh token dikirim via Set-Cookie: refresh_token=...; HttpOnly; Secure; SameSite=Lax; Max-Age=604800.
Refresh Token
Section titled “Refresh Token”POST /auth/refreshCookie: refresh_token=...Response: sama seperti login (access_token baru).
JWKS Endpoint
Section titled “JWKS Endpoint”GET /.well-known/jwks.jsonResponse:
{ "keys": [{ "kty": "RSA", "kid": "key-prod-001", "use": "sig", "alg": "RS256", "n": "...", "e": "AQAB" }]}Check Invitation
Section titled “Check Invitation”GET /auth/invitation/{token}Activate Account
Section titled “Activate Account”POST /auth/activateContent-Type: application/json
{ "token": "invitation-token-here", "password": "newpassword123"}Protected Endpoints
Section titled “Protected Endpoints”Semua endpoint berikut membutuhkan header:
Authorization: Bearer <access_token>Logout
Section titled “Logout”POST /auth/logoutGet Profile
Section titled “Get Profile”GET /user/profileResponse 200 OK:
{ "id": "550e8400-...", "name": "Ahmad Volunteer", "email": "ahmad@example.com", "phone": "+628123456789", "role": "volunteer", "photo": "https://s3.../profile/photo.jpg", "is_verified": true}Update Profile
Section titled “Update Profile”PATCH /user/profileContent-Type: application/json
{ "name": "Ahmad Updated", "phone": "+628987654321"}Change Password
Section titled “Change Password”POST /user/change-passwordContent-Type: application/json
{ "current_password": "oldpassword", "new_password": "newpassword123"}Get Photo Upload URL
Section titled “Get Photo Upload URL”POST /user/photo/upload-urlContent-Type: application/json
{ "content_type": "image/jpeg", "file_name": "photo.jpg"}Response: presigned S3 URL untuk direct upload dari client.
Get Role Configs
Section titled “Get Role Configs”GET /auth/role-configsgRPC Service: UserService
Section titled “gRPC Service: UserService”Dipakai oleh main-api untuk lookup user data.
service UserService { rpc GetUserById (GetUserByIdRequest) returns (UserResponse); rpc GetUsersByIds (GetUsersByIdsRequest) returns (UsersResponse); rpc CreateUser (CreateUserRequest) returns (UserResponse); rpc ListUsers (ListUsersRequest) returns (UsersResponse); rpc AdminCreateUser (AdminCreateUserRequest) returns (UserResponse); rpc ResendInvitation (ResendInvitationRequest) returns (Empty);}JWT Claims
Section titled “JWT Claims”{ "sub": "user-uuid", "email": "user@example.com", "role": "volunteer", "iat": 1717200000, "exp": 1717200900}Error Responses
Section titled “Error Responses”{ "error": "Invalid credentials", "code": "AUTH_INVALID_CREDENTIALS"}Common error codes: AUTH_INVALID_CREDENTIALS, AUTH_EMAIL_NOT_VERIFIED, AUTH_TOKEN_EXPIRED, AUTH_INSUFFICIENT_ROLE.