Skip to main content
Version: v2

Logging Users In and Out

Stories are displayed on the home page. If we want users to be able to post new stories and upload a profile picture, we need to allow them to log in to the application.

To do this, we will use Foal's sessions with cookies.

FoalTS offers many options for user authentication. For example, you can send session tokens with the Authorization header or use stateless tokens with JWT. We won't explore all these possibilities in this tutorial but you can find the full documentation here.

Open the file api.controller.ts and add the @UseSessions hook at the top of the class.

import { ApiInfo, ApiServer, controller, UseSessions } from '@foal/core';
import { fetchUser } from '@foal/typeorm';
import { User } from '../entities';
import { StoriesController } from './api';

title: 'Application API',
version: '1.0.0'
url: '/api'
cookie: true,
user: fetchUser(User),
export class ApiController {

subControllers = [
controller('/stories', StoriesController),


When used with the cookie option, this hook ensures that ctx.session is always defined in every method of the controller and its subcontrollers. This object can be used to store information between multiple requests, such as a user ID for example. You will use it to authenticate users.

In the background, Foal generates a unique session token for each user using the API and stores it in a cookie on the client host. When the client makes a new request, the browser automatically sends the token with the request so that the server can retrieve the session information. The session data is stored in the database in the sessions table.

But you don't need to worry about it, everything is managed by Foal.

Create a new controller.

foal generate controller api/auth --register

Open the new created file and add two routes.

API endpointMethodDescription
/api/auth/loginPOSTLogs the user in. An email and a password are expected in the request body.
/api/auth/logoutPOSTLogs the user out.
import { Context, hashPassword, HttpResponseNoContent, HttpResponseOK, HttpResponseUnauthorized, Post, Session, ValidateBody, verifyPassword } from '@foal/core';
import { User } from '../../entities';

const credentialsSchema = {
type: 'object',
properties: {
email: { type: 'string', format: 'email', maxLength: 255 },
password: { type: 'string' }
required: [ 'email', 'password' ],
additionalProperties: false,

export class AuthController {

async login(ctx: Context<User|undefined, Session>) {
const email =;
const password = ctx.request.body.password;

const user = await User.findOne({ email });
if (!user) {
return new HttpResponseUnauthorized();

if (!(await verifyPassword(password, user.password))) {
return new HttpResponseUnauthorized();

ctx.user = user;

return new HttpResponseOK({

async logout(ctx: Context<User|undefined, Session>) {
await ctx.session.destroy();
return new HttpResponseNoContent();


The login method first checks that the user exists and that the credentials provided are correct. If so, it associates the user with the current session.

On subsequent requests, the UseSessions hook will retrieve the user's ID from the session and set the ctx.user property accordingly. If the user has not previously logged in, then ctx.user will be undefined. If they have, then ctx.user will be an instance of User. This is made possible by the user option we provided to the hook earlier. It is actually the function that takes the user ID as parameter and returns the value to assign to ctx.user.