The Avanzar backend is a Hono v4 REST API that runs directly on Bun, using Better Auth for session management, Drizzle ORM for type-safe database access, and Zod for request validation. It serves a fully documented OpenAPI 3.1 specification alongside an interactive Swagger UI, making every endpoint explorable without a separate client. All responses — success or error — follow a consistent JSON shape, keeping integration predictable for both the storefront and the admin dashboard.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ItsJhonAlex/Ecommerce/llms.txt
Use this file to discover all available pages before exploring further.
Running the Backend
Start the backend from the monorepo root using the workspace script, or invoke Bun directly from within theapps/backend directory.
Development (hot reload)
Route Structure
All API traffic is mounted under/api. The three main route trees are:
| Mount path | Description |
|---|---|
/api/auth/* | Better Auth handler — sign-up, sign-in, sign-out, and session management |
/api/v1/ | Public routes available to the storefront and authenticated customers |
/api/v1/admin/ | Admin-only routes protected by the requireAdmin middleware |
/api/v1/)
These endpoints serve the storefront and authenticated customer account operations. Some (products, categories, shipping-rates, checkout) are fully open; others (orders, addresses) require a valid session cookie.
GET /api/v1/products— active product listingGET /api/v1/products/:slug— single product by slugGET /api/v1/categories— category treeGET /api/v1/shipping-rates— rate lookup by province and currencyPOST /api/v1/checkout— create a new order (guest-friendly)GET /api/v1/orders— authenticated user’s order historyGET /api/v1/addresses— saved addresses for the current user
/api/v1/admin/)
The requireAdmin middleware is applied to the entire sub-tree — no admin route is reachable without a valid admin session.
/admin/products— list all products; create, update, archive/admin/categories— manage product categories/admin/orders— view all orders; update order status via state machine/admin/payments— list pending and confirmed payments; confirm with reference number/admin/shipping-rates— manage per-province shipping rates/admin/users— view users; update user roles
GET /api/v1/openapi.json— machine-readable OpenAPI 3.1 specificationGET /api/v1/docs— interactive Swagger UIGET /health— healthcheck returning{ "status": "ok" }
The OpenAPI spec at
/api/v1/openapi.json and the Swagger UI at /api/v1/docs are publicly accessible — no authentication is required to browse the API documentation.CORS
CORS is configured on all/api/* routes to support cookie-based sessions across the two local origins:
credentials: true is required so the browser sends the better-auth.session_token cookie with every cross-origin request. The two allowed origins map to the storefront (4321) and the admin dashboard (5174) respectively.
Error Handling
Every error response from the API follows the same JSON envelope:onError handler catches any uncaught exception, logs the full stack to the server console (never to the client), and responds with a uniform 500:
fail() helper, which also accepts an optional extra object for additional fields such as code or productId:
{ error: string, ...extra }.
Request Validation
Two thin helpers wrap Zod parsing and short-circuit with a400 response on failure, keeping route handlers free of boilerplate try/catch blocks.
parseJson(c, schema) — validates the request body:
parseQuery(c, schema) — validates URL query parameters:
{ ok: true; data: T } | { ok: false; response: Response }, so TypeScript enforces the guard before allowing access to data.
Running Tests
db:test:setup first to provision the test database schema before executing the tests in test/.