Session Management
Create Session - /api/session
-
Endpoint:
/api/session -
Method: POST
-
Description: Creates a new session for the user.
-
Response:
{"sessionId": "session-id-string","message": "Session created successfully"} -
Error Responses:
500: Failed to create session
-
Notes:
- Creates a new session with 24-hour expiration
- Sets HTTP-only session cookie
- Required for accessing protected endpoints
Validate Session - /api/session
-
Endpoint:
/api/session -
Method: GET
-
Description: Validates an existing session.
-
Response (valid):
{"valid": true,"sessionId": "session-id-string"} -
Response (invalid):
{"valid": false,"error": "No session cookie"} -
Error Responses:
401: No session cookie or session ID500: Failed to validate session
-
Notes:
- Checks if the session cookie exists and is valid
- Returns session ID if valid
Delete Session - /api/session
-
Endpoint:
/api/session -
Method: DELETE
-
Description: Deletes the current session (logout).
-
Response:
{"message": "Session deleted successfully"} -
Error Responses:
500: Failed to delete session
-
Notes:
- Clears the session from server and client
- Removes session cookie
Get CSRF Token - /api/csrf
-
Endpoint:
/api/csrf -
Method: GET
-
Description: Generates a CSRF token for the current session.
-
Response:
{"csrfToken": "csrf-token-string","message": "CSRF token generated successfully"} -
Error Responses:
401: No session found or invalid/expired session500: Failed to generate CSRF token
-
Notes:
- Requires a valid session
- CSRF token is required for all state-changing operations
- Token is tied to the current session