User management endpoints — /api/usuarios

The user management endpoints let administrators manage system accounts. Each user must be linked to an existing employee record (id_empleado). Passwords are hashed with SHA-256 via Node’s built-in crypto module before being passed to the stored procedure — plaintext credentials are never persisted.

All routes require a valid JWT in the Authorization: Bearer <token> header.

These endpoints do not implement role-based access control at the HTTP layer. Restrict access to administrator accounts in your deployment environment.

GET /api/usuarios

Returns the list of all system users. Calls sp_get_todos_usuarios. Accepts an optional search term to filter results.

Query parameters

busqueda

string

default:""

Optional search term filtered server-side by the stored procedure (matched against username or employee name). Omit or pass an empty string to return all users.

Response

200 OK — returns an array of user records.

id_usuario

number

Internal user ID.

username

string

id_empleado

number

ID of the linked employee record.

nombre_empleado

string

Full name of the linked employee.

cargo

string

Employee role/position (e.g., "Administrador", "Cajero").

activo

boolean

Whether the account is currently active.

Errors

Status	Condition	Body
`500`	Database or server error	`{ "error": "<message>" }`

Example

curl --request GET \
  --url http://localhost:3000/api/usuarios \
  --header 'Authorization: Bearer <token>'

Response

[
  {
    "id_usuario": 1,
    "username": "admin",
    "id_empleado": 1,
    "nombre_empleado": "Carlos Ramírez",
    "cargo": "Administrador",
    "activo": true
  },
  {
    "id_usuario": 2,
    "username": "cajero1",
    "id_empleado": 2,
    "nombre_empleado": "Ana Torres",
    "cargo": "Cajero",
    "activo": true
  }
]

POST /api/usuarios

Creates a new user account. The provided password is hashed with SHA-256 before being passed to sp_crear_usuario — the plaintext value is never written to the database. Returns the new user’s ID on success.

Request body

username

string

required

Unique login username. The stored procedure will reject duplicate usernames.

password

string

required

Plaintext password. Hashed server-side with SHA-256 before storage.

id_empleado

number

required

ID of the employee this account belongs to. Obtain valid IDs from GET /api/usuarios/empleados.

Response

201 Created

id_usuario

number

required

Internal ID of the newly created user account.

message

string

required

Confirmation message ("Usuario creado exitosamente").

Errors

Status	Condition	Body
`400`	Any of `username`, `password`, or `id_empleado` is missing	`{ "error": "Username, password y empleado son obligatorios" }`
`500`	Database error (e.g., duplicate username, invalid employee ID)	`{ "error": "<message>" }`

To list available employees before creating a user, call GET /api/usuarios/empleados. This returns all employee records that can be linked to a new account.

Example

curl --request POST \
  --url http://localhost:3000/api/usuarios \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "cajero2",
    "password": "segura123",
    "id_empleado": 3
  }'

Response

{
  "id_usuario": 3,
  "message": "Usuario creado exitosamente"
}

GET /api/usuarios/buscar

Searches for a specific user by username. Calls sp_buscar_usuario. Returns the user record if found, or { "encontrado": false } otherwise.

Query parameters

username

string

required

Exact username to look up.

Response

200 OK — found

encontrado

boolean

required

true when a user with the given username exists.

id_usuario

number

Internal user ID.

username

string

200 OK — not found

encontrado

boolean

required

false. No other fields returned.

Errors

Status	Condition	Body
`400`	`username` query parameter missing	`{ "error": "El parámetro \"username\" es requerido" }`
`500`	Database error	`{ "error": "<message>" }`

Example

curl --request GET \
  --url 'http://localhost:3000/api/usuarios/buscar?username=cajero1' \
  --header 'Authorization: Bearer <token>'

GET /api/usuarios/empleados

Returns the list of all employees available for user account assignment. Calls sp_get_empleados. Use this to obtain valid id_empleado values before calling POST /api/usuarios or PUT /api/usuarios/:id.

Parameters

No parameters required.

Response

200 OK — returns an array of employee records.

id_empleado

number

Internal employee ID. Pass this as id_empleado when creating or updating a user.

nombres

string

Employee first name(s).

apellidos

string

Employee last name(s).

nombre_cargo

string

Position/role name (e.g., "Administrador", "Cajero").

Example

curl --request GET \
  --url http://localhost:3000/api/usuarios/empleados \
  --header 'Authorization: Bearer <token>'

PUT /api/usuarios/:id

Updates an existing user’s username, password, or linked employee. Calls sp_actualizar_usuario. If password is omitted, the stored current hash is preserved.

Path parameters

number

required

Internal user ID.

Request body

username

string

required

Updated login username.

id_empleado

number

required

Updated employee link. Must reference an existing employee.

password

string

New password in plaintext. If omitted, the current password hash is preserved unchanged.

Response

200 OK

message

string

Confirmation message ("Usuario actualizado exitosamente").

Errors

Status	Condition	Body
`400`	`username` or `id_empleado` missing	`{ "error": "Username y empleado son obligatorios" }`
`404`	Password omitted and username not found to retrieve existing hash	`{ "error": "Usuario no encontrado para obtener hash actual" }`
`500`	Database error	`{ "error": "<message>" }`

Example

curl --request PUT \
  --url http://localhost:3000/api/usuarios/3 \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "cajero2",
    "password": "nuevaclave456",
    "id_empleado": 3
  }'

DELETE /api/usuarios/:id

Deletes a user account permanently. Calls sp_eliminar_usuario.

Path parameters

number

required

Internal user ID to delete.

Response

200 OK

message

string

Confirmation message ("Usuario eliminado exitosamente").

Errors

Status	Condition	Body
`500`	Database error	`{ "error": "<message>" }`

Example

curl --request DELETE \
  --url http://localhost:3000/api/usuarios/3 \
  --header 'Authorization: Bearer <token>'

Response

{
  "message": "Usuario eliminado exitosamente"
}

API Overview

Endpoints

User management endpoints — /api/usuarios

GET /api/usuarios

Query parameters

Response

Errors

Example

POST /api/usuarios

Request body

Response

Errors

Example

GET /api/usuarios/buscar

Query parameters

Response

Errors

Example

GET /api/usuarios/empleados

Parameters

Response

Example

PUT /api/usuarios/:id

Path parameters

Request body

Response

Errors

Example

DELETE /api/usuarios/:id

Path parameters

Response

Errors

Example

Build docs developers (and LLMs) love

API Overview

Endpoints

Documentation Index

​GET /api/usuarios

​Query parameters

​Response

​Errors

​Example

​POST /api/usuarios

​Request body

​Response

​Errors

​Example

​GET /api/usuarios/buscar

​Query parameters

​Response

​Errors

​Example

​GET /api/usuarios/empleados

​Parameters

​Response

​Example

​PUT /api/usuarios/:id

​Path parameters

​Request body

​Response

​Errors

​Example

​DELETE /api/usuarios/:id

​Path parameters

​Response

​Errors

​Example

Build docs developers (and LLMs) love

GET /api/usuarios

Query parameters

Response

Errors

Example

POST /api/usuarios

Request body

Response

Errors

Example

GET /api/usuarios/buscar

Query parameters

Response

Errors

Example

GET /api/usuarios/empleados

Parameters

Response

Example

PUT /api/usuarios/:id

Path parameters

Request body

Response

Errors

Example

DELETE /api/usuarios/:id

Path parameters

Response

Errors

Example