# AuthApi document shapes

This service expects JSON request bodies for its auth endpoints and stores user
documents in MongoDB.

Inbound JSON documents
- RegisterRequest (`POST /api/auth/register`)
  ```json
  {
    "username": "string",
    "password": "string",
    "email": "string (optional)"
  }
  ```
- LoginRequest (`POST /api/auth/login`)
  ```json
  {
    "username": "string",
    "password": "string"
  }
  ```
- RefreshRequest (`POST /api/auth/refresh`)
  ```json
  {
    "username": "string",
    "refreshToken": "string"
  }
  ```
- ChangeRoleRequest (`POST /api/auth/role`)
  ```json
  {
    "username": "string",
    "newRole": "USER | SUPER"
  }
  ```

Stored documents (MongoDB)
- User
  ```json
  {
    "id": "string (ObjectId)",
    "username": "string",
    "passwordHash": "string",
    "role": "USER | SUPER",
    "email": "string (optional)",
    "refreshToken": "string (optional)",
    "refreshTokenExpiry": "string (optional, ISO-8601 datetime)"
  }
  ```