masaruk Documentation Portal

1. Purpose

This document defines all authentication & user-management endpoints across MASARUK:

B2C end-user authentication (Web + Mobile)
Provider Portal authentication (B2B)
Admin Panel authentication
JWT token generation
Profile management
Password recovery
Social login integration (Google / Facebook)

This API layer is shared across:

Next.js Web Frontend
Flutter Mobile Apps
Admin Panel
Provider Portal

2. Auth Model Overview

2.1 Authentication Method

MASARUK backend uses:

JWT (jsonwebtoken) for all platforms.
HTTP-only cookies for secure web session refresh tokens.

2.2 Token Behavior

Platform	Token Type	Storage	Expiry
Web (Next.js)	JWT Access + Refresh Token	Access: Memory, Refresh: HttpOnly Cookie	Access: 15min-1h, Refresh: 7-30d
Mobile	JWT	Secure Storage	Configurable (e.g., 30 d)
Provider Portal	JWT	Access: Memory, Refresh: HttpOnly Cookie	Configurable

2.3 Required Headers

Authorization: Bearer <token>

Accept: application/json

Content-Type: application/json

3. Entities Involved

User

(Arabic labels preserved as-is from UI)

Field	Description
id	Primary key
full_name	"الاسم بالكامل"
email	"البريد الالكتروني"
phone	"رقم الجوال"
password_hash	Hashed password
role	ENUM: super_admin, admin, provider_admin, provider_staff, user
status	ACTIVE / BLOCKED
created_at	Date
updated_at	Date

4. Endpoints

All endpoints below follow the standard error and validation patterns from api-principles-and-versioning.md.

POST/api/v1/auth/signup

Creates a new customer account.

Request Body:

{
  "full_name": "محمد أحمد",
  "email": "user@example.com",
  "phone": "966500000000",
  "password": "StrongPass123",
  "password_confirmation": "StrongPass123"
}

Validation Rules:

full_name: required, string
email: required, unique
phone: required, unique
password: required, confirmed

Example Response:

{
  "success": true,
  "token": "<jwt_token>",
  "user": {
    "id": 1,
    "full_name": "محمد أحمد",
    "email": "user@example.com",
    "phone": "966500000000",
    "role": "user"
  }
}

POST/api/v1/auth/login

Request Body:

{
  "email": "user@example.com",
  "password": "StrongPass123"
}

Example Response:

{
  "success": true,
  "token": "<jwt_token>",
  "user": {
    "id": 1,
    "full_name": "محمد أحمد",
    "email": "user@example.com",
    "role": "user"
  }
}

Error Cases:

401Invalid credentials

403Blocked user (status = BLOCKED)

POST/api/v1/auth/social

Used for both Google and Facebook.

Request Body:

{
  "provider": "google",
  "access_token": "<provider_token>"
}

Same shape as normal login (returns token + user).

POST/api/v1/auth/logout

Invalidates the current JWT token / session according to platform rules.

5. Profile Management

GET/api/v1/user/profile

Example Response:

{
  "id": 1,
  "full_name": "محمد أحمد",
  "email": "user@example.com",
  "phone": "966500000000",
  "role": "user"
}

PUT/api/v1/user/profile

Request Body:

{
  "full_name": "محمد أحمد",
  "phone": "966500000010"
}

PUT/api/v1/user/change-password

Request Body:

{
  "current_password": "oldPass123",
  "new_password": "NewStrong123",
  "new_password_confirmation": "NewStrong123"
}

6. Password Reset Flow

POST/api/v1/auth/forgot-password

Request Body:

{ "email": "user@example.com" }

Example Response:

{ "message": "Password reset link sent" }

POST/api/v1/auth/reset-password

Request Body:

{
  "token": "<reset_token>",
  "email": "user@example.com",
  "password": "NewPass123",
  "password_confirmation": "NewPass123"
}

7. Admin & Provider Authentication

POST/api/v1/provider/auth/login

Uses the same basic login flow but must return provider-specific fields.

Example Response:

{
  "token": "<jwt>",
  "user": {
    "id": 33,
    "role": "provider_admin",
    "provider_id": 7
  }
}

role is either provider_admin or provider_staff.
provider_id is the owning company.

POST/api/v1/admin/auth/login

Only super_admin or admin roles are allowed.

8. Status Mapping

For reference; full mapping lives in 00-guidelines/status-mapping-template.md.

Arabic (UI)	Internal Enum	Notes
نشط/فعّال	ACTIVE	Unified internally
غير نشط / غير فعّال	INACTIVE
ملغاه	CANCELLED	Used in bookings
مكتملة	COMPLETED
قيد التنفيذ	PENDING	Canonical internal ID

9. Error Patterns

Standardized across all endpoints.

401Unauthorized

{ "success": false, "message": "Unauthorized" }

422Validation Error

{ "errors": { "email": ["Email is required"] } }

500Internal Error

{ "message": "Server error" }

10. Related Business Rules

•User cannot log in if status = BLOCKED.
•Provider users must belong to a valid provider_id.
•Social login auto-creates an account if not exist.
•Password reset tokens expire after configured TTL.
•JWT refresh tokens may be introduced later (flagged for roadmap).

11. Related Documents

00-guidelines/naming-conventions.md

03-domain-model/domain-entities-and-relationships.md

03-domain-model/statuses-and-lifecycles.md

04-functional-spec/providers-and-companies-module.md

04-functional-spec/bookings-module.md

08-rbac/roles-and-permissions-matrix.md

Auth & Users API

1. Purpose

2. Auth Model Overview

2.1 Authentication Method

2.2 Token Behavior

2.3 Required Headers

3. Entities Involved

User

4. Endpoints

Request Body:

Validation Rules:

Example Response:

Request Body:

Example Response:

Error Cases:

Request Body:

5. Profile Management

Example Response:

Request Body:

Request Body:

6. Password Reset Flow

Request Body:

Example Response:

Request Body:

7. Admin & Provider Authentication

Example Response:

8. Status Mapping

9. Error Patterns

10. Related Business Rules

11. Related Documents