Implement JWT issuing on login & signup (replace sessions) #2
Description
Goal
Replace session-based auth with stateless JWT authentication and ensure consistent return format.
Scope
Update:
- auth.controller.js (or equivalent service layer)
- signup flow
- login flow
Requirements
- On successful login/signup:
- Generate a signed JWT
- Expiry ~ 24 hours
- Use environment secret:
process.env.JWT_SECRET - Response MUST return:
{
"user": { ...safeFields },
"token": "<jwt-token>",
"expiresAt": "<timestamp>"
}
❗ Do NOT return password, hash, or internal fields.
Acceptance Criteria (Checklist)
- Login returns valid JWT
- Signup returns valid JWT
- Token decodes properly using JWT_SECRET
- Expiration timestamp matches token expiry
- Auth still works after app restart (stateless)
- No cookies or session objects used anywhere in controller
Security Notes
- Keep payload minimal
- Avoid embedding sensitive PII
- Prefer:
sub, email, role, iat, exp
Proof Required (attach in PR)
- Screenshot of Postman login response
- Screenshot of decoded JWT (sanitized)
- Short code snippet for token issuing
PR Notes
- Target branch: auth-phase-0.5
- Do not merge without review