diff --git a/server.js b/server.js
index f59c62d..b9b675d 100644
--- a/server.js
+++ b/server.js
@@ -417,6 +417,50 @@ function signToken(user) { const accountId = user.owner_id || user.id; return jw
 function authMiddleware(req, res, next) { const h = req.headers.authorization || ""; const token = h.startsWith("Bearer ") ? h.slice(7) : ""; if (!token) return res.status(401).json({ ok: false, error: "No token" }); try { req.user = jwt.verify(token, JWT_SECRET); next(); } catch { return res.status(401).json({ ok: false, error: "Token inválido" }); } }
 function genCode6() { return String(Math.floor(100000 + Math.random() * 900000)); }
 
+// ==========================================
+// 🔐 SISTEMA DE AUTENTICACIÓN (LOGIN Y SESIÓN)
+// ==========================================
+app.post("/auth/login", async (req, res) => {
+    try {
+        const { email, password } = req.body;
+        if (!email || !password) return res.status(400).json({ ok: false, error: "Faltan datos" });
+
+        // Buscamos al usuario por email o por teléfono
+        const q = await pool.query("SELECT * FROM users WHERE email = $1 OR phone = $1 LIMIT 1", [email]);
+        if (q.rowCount === 0) return res.status(401).json({ ok: false, error: "Credenciales incorrectas" });
+
+        const user = q.rows[0];
+
+        // Verificar si la cuenta está activa
+        if (user.status !== 'active') return res.status(403).json({ ok: false, error: "Cuenta inactiva o bloqueada" });
+
+        // Comprobamos la contraseña
+        const valid = await bcrypt.compare(password, user.password_hash);
+        if (!valid) return res.status(401).json({ ok: false, error: "Credenciales incorrectas" });
+
+        // Generamos el Token de sesión
+        const token = signToken(user);
+        res.json({ 
+            ok: true, 
+            token, 
+            user: { id: user.id, full_name: user.full_name, role: user.role, accountId: user.owner_id || user.id } 
+        });
+    } catch (e) {
+        console.error("Error en Login:", e);
+        res.status(500).json({ ok: false, error: "Error interno del servidor" });
+    }
+});
+
+app.get("/auth/me", authMiddleware, async (req, res) => {
+    try {
+        const q = await pool.query("SELECT id, full_name, email, phone, role, company_slug, plan_tier FROM users WHERE id = $1", [req.user.sub]);
+        if (q.rowCount === 0) return res.status(404).json({ ok: false });
+        res.json({ ok: true, user: q.rows[0] });
+    } catch (e) {
+        res.status(500).json({ ok: false });
+    }
+});
+
 
 // ==========================================
 // 🕵️ ROBOT NOTARIO (TRAZABILIDAD TOTAL)