Login

Endpoint

POST /api/auth/login

Overview

Authenticates a user with email and password. If 2FA is enabled, returns a pending token that requires verification code. Otherwise, returns a full JWT token and user’s service access information.

Request

string

required

User email address

password

string

required

User password

verificationCode

string

Required if 2FA is enabled. TOTP code from authenticator app.

Response (Without 2FA or Valid Code)

user

object

Authenticated user object

Show User Object

string

User ID

string

User email

displayName

string

Display name

avatar

string

Avatar URL (if set)

token

string

JWT token for authentication

services

array

Array of user’s service entitlements

Show Service Entitlement

string

Entitlement ID

userId

string

User ID

service

string

Service identifier: DROP, MAILS, VAULT, or DB

enabled

boolean

Whether service is enabled

expiresAt

string

Expiration date (ISO timestamp) or null

banned

boolean

Whether the user account is banned

disabled

boolean

Whether the user account is disabled

Response (2FA Required)

user

object

Partial user object (without sensitive data)

requires2FA

boolean

Always true when 2FA is required

pendingToken

string

Temporary token for 2FA verification. Not a full JWT token.

message

string

“2FA verification required”

Implementation Details

Process Flow

CORS & Arcjet: Validates CORS and applies rate limiting
User Lookup: Finds user with service access included
Password Verification: Compares password with bcrypt hash
2FA Check: If enabled, validates verification code or returns pending token
Session Management:
- Reuses existing session if valid and from same IP
- Creates new session if none exists
- Updates expiration on existing sessions
Audit Logging: Logs USER_LOGIN and SESSION_CREATE (if new session)

Code Reference

export async function POST(request: NextRequest) {
  const corsResponse = handleCors(request)
  if (corsResponse) return corsResponse

  const blocked = await protectRoute(request, { requested: 2 })
  if (blocked) return blocked

  try {
    const body = await request.json()
    const validated = loginSchema.parse(body)

    logger.ups('Login attempt:', validated.email)

    const user = await prisma.user.findUnique({
      where: { email: validated.email },
      include: {
        serviceAccess: true,
      },
    })

    if (!user || !user.passwordHash) {
      logger.warn('Login failed: Invalid credentials', validated.email)
      return errorResponse('Invalid credentials', 401, request.headers.get('origin'))
    }

    const isValid = await bcrypt.compare(validated.password, user.passwordHash)
    if (!isValid) {
      logger.warn('Login failed: Invalid password', validated.email)
      return errorResponse('Invalid credentials', 401, request.headers.get('origin'))
    }

    const verificationCode = validated.verificationCode

    if (user.twoFactorEnabled) {
      if (!verificationCode) {
        const pendingToken = generateToken({ userId: user.id, email: user.email })
        return jsonResponse(
          {
            user: {
              id: user.id,
              email: user.email,
              displayName: user.displayName,
              avatar: user.avatar,
            },
            requires2FA: true,
            pendingToken,
            message: '2FA verification required',
          },
          200,
          request.headers.get('origin')
        )
      }

      if (!user.twoFactorSecret) {
        logger.warn('2FA enabled but no secret found', user.id)
        return errorResponse('2FA configuration error', 500, request.headers.get('origin'))
      }

      const verified = speakeasy.totp.verify({
        secret: user.twoFactorSecret,
        encoding: 'base32',
        token: verificationCode,
        window: 2,
      })

      if (!verified) {
        logger.warn('2FA verification failed', user.id)
        return errorResponse('Invalid 2FA verification code', 401, request.headers.get('origin'))
      }
    }

    const clientIp = getClientIp(request)
    const encryptedIp = getClientIpForStorage(request, user.id)

    const existingSession = await prisma.session.findFirst({
      where: {
        userId: user.id,
        ip: encryptedIp,
        expiresAt: {
          gt: new Date(),
        },
      },
      orderBy: {
        createdAt: 'desc',
      },
    })

    let token: string
    const expiresAt = getSessionExpiresAt()

    let sessionCreated = false
    
    if (existingSession) {
      const { verifyToken } = await import('@/lib/auth')
      const tokenPayload = verifyToken(existingSession.token)
      
      if (tokenPayload && tokenPayload.userId === user.id) {
        token = existingSession.token
        await prisma.session.update({
          where: { id: existingSession.id },
          data: {
            expiresAt,
          },
        })
      } else {
        token = generateToken({ userId: user.id, email: user.email })
        await prisma.session.update({
          where: { id: existingSession.id },
          data: {
            token,
            expiresAt,
          },
        })
      }
    } else {
      token = generateToken({ userId: user.id, email: user.email })
      await prisma.session.create({
        data: {
          userId: user.id,
          token,
          expiresAt,
          ip: encryptedIp,
        },
      })
      sessionCreated = true
    }

    await prisma.user.update({
      where: { id: user.id },
      data: { updatedAt: new Date() },
    })

    await createAuditLog(user.id, 'USER_LOGIN', {
      ip: encryptedIp,
      twoFactorUsed: user.twoFactorEnabled && !!verificationCode,
    })
    
    if (sessionCreated) {
      await createAuditLog(user.id, 'SESSION_CREATE', {
        ip: encryptedIp,
      })
    }

    return jsonResponse(
      {
        user: {
          id: user.id,
          email: user.email,
          displayName: user.displayName,
          avatar: user.avatar,
        },
        token,
        services: user.serviceAccess,
      },
      200,
      request.headers.get('origin')
    )
  } catch (error: any) {
    if (error.name === 'ZodError') {
      logger.warn('Login validation error:', error.errors)
      return errorResponse(error.errors[0].message, 400, request.headers.get('origin'))
    }
    logger.error('Login error:', error)
    return errorResponse('Internal server error', 500, request.headers.get('origin'))
  }
}

Status Codes

200

400

Bad Request

Validation error

401

Unauthorized

Invalid credentials or invalid 2FA code

403

Forbidden

Blocked by Arcjet

500

Internal Server Error

Server error or 2FA configuration error

Example Requests

Without 2FA

curl -X POST https://auth.nullpass.xyz/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "securepassword123"
  }'

With 2FA

# Step 1: Initial login (returns requires2FA: true)
curl -X POST https://auth.nullpass.xyz/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "securepassword123"
  }'

# Step 2: Verify with 2FA code
curl -X POST https://auth.nullpass.xyz/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "securepassword123",
    "verificationCode": "123456"
  }'

Session Reuse Logic

The endpoint implements smart session reuse:

If a valid session exists for the user from the same IP, it reuses the token
Session expiration is updated on reuse
New sessions are only created when none exist or existing session is invalid

Audit Events

USER_LOGIN: Successful login (includes twoFactorUsed flag)
SESSION_CREATE: New session created (only if new session was created)

Body

application/json

string<email>

required

password

string

required

verificationCode

string

Required if 2FA is enabled

Response

Option 1
Option 2

user

object

Show child attributes

user.id

string

user.email

string<email>

user.username

string | null

user.displayName

string | null

user.avatar

string | null

user.twoFactorEnabled

boolean

user.createdAt

string<date-time>

token

string

services

object[]

Show child attributes

services.id

string

services.userId

string

services.service

enum<string>

Available options:

DROP,

MAILS,

VAULT,

DB

services.tier

string

Example:

"premium"

services.isPremium

boolean

services.accessFlags

object

services.metadata

object

services.customStorageLimit

integer | null

services.customApiKeyLimit

integer | null

services.createdAt

string<date-time>

services.updatedAt

string<date-time>

banned

boolean

Whether the user account is banned

disabled

boolean

Whether the user account is disabled

Get Started

Authentication

Services

Webhooks

Account Management

Service Connection

Polar Integration

Admin

Advanced

Library

Endpoint

Overview

Request

Response (Without 2FA or Valid Code)

Response (2FA Required)

Implementation Details

Process Flow

Code Reference

Status Codes

Example Requests

Without 2FA

With 2FA

Session Reuse Logic

Audit Events

Body

Response

Get Started

Authentication

Services

Webhooks

Account Management

Service Connection

Polar Integration

Admin

Advanced

Library

​Endpoint

​Overview

​Request

​Response (Without 2FA or Valid Code)

​Response (2FA Required)

​Implementation Details

​Process Flow

​Code Reference

​Status Codes

​Example Requests

​Without 2FA

​With 2FA

​Session Reuse Logic

​Audit Events

Body

Response

Endpoint

Overview

Request

Response (Without 2FA or Valid Code)

Response (2FA Required)

Implementation Details

Process Flow

Code Reference

Status Codes

Example Requests

Without 2FA

With 2FA

Session Reuse Logic

Audit Events