Session Management
Create Session - /api/session
- Endpoint:
/api/session - Method: POST
- Description: Creates a new session for the user.
- Response:
{"sessionId": "session-id-string","message": "Session created successfully"}
- Error Responses:
500: Failed to create session
- Notes:
- Creates a new session with 24-hour expiration
- Sets HTTP-only session cookie
- Required for accessing protected endpoints
Validate Session - /api/session
- Endpoint:
/api/session - Method: GET
- Description: Validates an existing session.
- Response (valid):
{"valid": true,"sessionId": "session-id-string"}
- Response (invalid):
{"valid": false,"error": "No session cookie"}
- Error Responses:
401: No session cookie or session ID500: Failed to validate session
- Notes:
- Checks if the session cookie exists and is valid
- Returns session ID if valid
Delete Session - /api/session
- Endpoint:
/api/session - Method: DELETE
- Description: Deletes the current session (logout).
- Response:
{"message": "Session deleted successfully"}
- Error Responses:
500: Failed to delete session
- Notes:
- Clears the session from server and client
- Removes session cookie
Get CSRF Token - /api/csrf
- Endpoint:
/api/csrf - Method: GET
- Description: Generates a CSRF token for the current session.
- Response:
{"csrfToken": "csrf-token-string","message": "CSRF token generated successfully"}
- Error Responses:
401: No session found or invalid/expired session500: Failed to generate CSRF token
- Notes:
- Requires a valid session
- CSRF token is required for all state-changing operations
- Token is tied to the current session