Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/FloresJesus/SS_RESTAURANT/llms.txt

Use this file to discover all available pages before exploring further.

The Users API provides full lifecycle management of restaurant staff accounts. Administrators can create, read, update, and permanently delete user records. Passwords are never stored in plain text — the controller hashes every password with bcryptjs at a cost factor of 10 before writing it to the usuario table, and the password_hash column is excluded from all query responses. Each user is assigned one of four roles (admin, cajero, mesero, cocina) that the role-guard middleware uses to restrict access across the entire API. Every write operation is recorded in the audit log. All endpoints require the admin role.

Endpoints

MethodPathAuthDescription
GET/api/usersadminList all staff accounts
GET/api/users/:idadminGet a single user by ID
POST/api/usersadminCreate a new user account
PUT/api/users/:idadminUpdate an existing user account
DELETE/api/users/:idadminPermanently delete a user

GET /api/users

Returns all user records ordered by creado_en descending. Password hashes are never included. 
curl -X GET https://api.example.com/api/users \
  -H "Authorization: Bearer <token>"
Response — array of user objects: 
[
  {
    "id": 3,
    "nombre": "María",
    "apellido": "López",
    "email": "[email protected]",
    "rol": "mesero",
    "activo": true,
    "creado_en": "2025-01-10T14:00:00.000Z"
  }
]

GET /api/users/:id

Fetches a single user by their database ID. Returns 404 if the user does not exist. 
curl -X GET https://api.example.com/api/users/3 \
  -H "Authorization: Bearer <token>"

POST /api/users

Creates a new staff account. The email address must be unique across all users. The password is hashed before storage and is never returned in any response.

Request body

nombre
string
required
User’s first name.
apellido
string
User’s last name / surname.
email
string
required
Unique email address used for login. Returns 400 if already registered.
password
string
required
Plain-text password. The API hashes it with bcryptjs (cost 10) before storing it. Minimum length is not enforced server-side but a strong password is recommended.
rol
string
Role assignment. Must be one of: admin, cajero, mesero, cocina. Defaults to mesero if omitted.
RoleAccess level
adminFull system access
cajeroPayments, tickets, and invoices
meseroOrders and table management
cocinaKitchen order queue
activo
boolean
Whether the account is active. Defaults to true. Inactive users (activo: false) cannot authenticate.
curl -X POST https://api.example.com/api/users \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "nombre": "María",
    "apellido": "López",
    "email": "[email protected]",
    "password": "Secure@Pass1",
    "rol": "mesero",
    "activo": true
  }'
Response 201 Created: 
{
  "message": "Usuario creado correctamente",
  "id": 3
}

Error responses

StatusCondition
400nombre, email, or password missing
400rol is not one of the four valid values
400Email is already registered to another account
500Database or internal error

PUT /api/users/:id

Updates the profile information of an existing user. nombre and email are required. If email is changed it must not conflict with another existing user’s address.

Request body

nombre
string
required
Updated first name.
apellido
string
Updated last name.
email
string
required
Updated email address. Must be unique; returns 400 if already in use by a different user.
rol
string
Updated role. Must be one of: admin, cajero, mesero, cocina. If omitted, the existing role is preserved.
activo
boolean
Set to false to disable the account without deleting it. Defaults to true.
curl -X PUT https://api.example.com/api/users/3 \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "nombre": "María",
    "apellido": "López",
    "email": "[email protected]",
    "rol": "cajero",
    "activo": true
  }'
Response 200 OK: 
{ "message": "Usuario actualizado correctamente" }

Error responses

StatusCondition
400nombre or email missing
400rol is not one of the four valid values
400email is already in use by a different user
404User not found
500Database or internal error

DELETE /api/users/:id

Permanently removes the user record from the database. This operation cannot be undone. 
curl -X DELETE https://api.example.com/api/users/3 \
  -H "Authorization: Bearer <token>"
Response 200 OK: 
{ "message": "Usuario eliminado correctamente" }

User response object

All GET endpoints return user records in this shape (password hash excluded):
id
number
User primary key.
nombre
string
First name.
apellido
string
Last name.
email
string
Unique login email.
rol
string
Role: admin, cajero, mesero, or cocina.
activo
boolean
true if the account is enabled. Only active users can authenticate.
creado_en
string
ISO 8601 timestamp of account creation.
Deleting a user is permanent and removes all direct references to that account from the usuario table. Consider setting activo: false via PUT /api/users/:id to disable access without losing the record. Inactive users cannot log in but their historical data (orders, audit entries) remains intact.
Inactive users (activo: false) are excluded from role-based lookups used internally for assignment features (e.g., waiter assignment). They continue to appear in GET /api/users so administrators can re-enable them if needed.

Build docs developers (and LLMs) love

Get started for freeTalk to us