Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JDzuu/AplicativoWEB_GestorFinanciero/llms.txt

Use this file to discover all available pages before exploring further.

User management in Gestor Financiero follows a strict two-role model: admin and empleado. Administrators can create new accounts, edit existing ones, reset passwords, and delete users. Every authenticated user — regardless of role — can change their own password via POST /cambiar-password and save their UI theme preference via POST /preferencias/tema. One special user, the principal admin, is bootstrapped automatically on first run and carries protections that prevent it from being edited, demoted, or deleted by other admins.
All endpoints under /usuarios require the admin role. Requests made by users with the empleado role will receive a 403 Forbidden response with the detail "Solo un administrador puede hacer esto.".

GET /usuarios

Returns all user accounts registered in the system.
curl -X GET http://localhost:8000/usuarios \
  --cookie "sesion=<token>"

Response

Returns an array of user objects.
id
integer
Unique user identifier.
usuario
string
Login username.
nombre
string
Display name.
rol
string
Either "admin" or "empleado".
principal
boolean
true for the bootstrapped principal administrator account. Only one user will ever have this flag set.

POST /usuarios

Creates a new user account. The username must be unique across the system.
curl -X POST http://localhost:8000/usuarios \
  --cookie "sesion=<token>" \
  -H "Content-Type: application/json" \
  -H "X-CSRF-Token: <csrf>" \
  -d '{
    "usuario": "maria.lopez",
    "nombre": "María López",
    "password": "segura1234",
    "rol": "empleado"
  }'

Request Body

usuario
string
required
Login username. Maximum 50 characters. Must be unique — returns 400 if the username already exists.
nombre
string
required
Full display name. Maximum 120 characters.
password
string
required
Initial password. Maximum 128 characters. Must be at least 8 characters long.
rol
string
Role to assign. Must be "admin" or "empleado". Defaults to "empleado" if omitted.

Response

id
integer
ID of the newly created user.
usuario
string
Stored username (whitespace-trimmed).
nombre
string
Stored display name (whitespace-trimmed).
rol
string
Assigned role.

PUT /usuarios/{usuario_id}

Edits an existing user’s username, display name, role, and optionally their password in a single request.
curl -X PUT http://localhost:8000/usuarios/5 \
  --cookie "sesion=<token>" \
  -H "Content-Type: application/json" \
  -H "X-CSRF-Token: <csrf>" \
  -d '{
    "usuario": "maria.lopez",
    "nombre": "María López Ruiz",
    "rol": "admin",
    "nueva_password": "nuevaClave99"
  }'

Request Body

usuario
string
required
New username. Maximum 50 characters. Must not conflict with another existing user.
nombre
string
required
New display name. Maximum 120 characters. Cannot be blank.
rol
string
required
New role. Must be "admin" or "empleado".
nueva_password
string
If provided, replaces the user’s current password. Maximum 128 characters. Must be at least 8 characters long.

Business rules

  • Returns 403 if usuario_id belongs to the principal admin.
  • Returns 400 if demoting the only remaining admin to "empleado" — at least one admin must always exist.
  • If nueva_password is set and the target user is not the requesting admin, all active sessions for that user are closed immediately, forcing a re-login.

Response

Returns { id, usuario, nombre, rol } for the updated account.

POST /usuarios/{usuario_id}/password

Resets another user’s password. The target user’s sessions are invalidated so they must log in again with the new credentials.
curl -X POST http://localhost:8000/usuarios/5/password \
  --cookie "sesion=<token>" \
  -H "Content-Type: application/json" \
  -H "X-CSRF-Token: <csrf>" \
  -d '{"nueva": "contrasenaReset1"}'

Request Body

nueva
string
required
New password for the target user. Must be at least 8 characters long.
This endpoint cannot be used on the principal admin (403). To change the principal admin’s own password, that user must use POST /cambiar-password.

Response

{ "ok": true }

DELETE /usuarios/{usuario_id}

Permanently deletes a user account.
curl -X DELETE http://localhost:8000/usuarios/5 \
  --cookie "sesion=<token>" \
  -H "X-CSRF-Token: <csrf>"
The following conditions each return a 400 or 403 error:
ConditionStatus
Attempting to delete your own account400
Target user is the principal admin403
Target user is the last remaining admin400

Response

{ "ok": true }

POST /cambiar-password

Allows any authenticated user (admin or empleado) to change their own password. The current password must be provided for verification. All other active sessions for the current user are closed after a successful change.
curl -X POST http://localhost:8000/cambiar-password \
  --cookie "sesion=<token>" \
  -H "Content-Type: application/json" \
  -H "X-CSRF-Token: <csrf>" \
  -d '{
    "actual": "passwordViejo1",
    "nueva": "passwordNuevo2"
  }'

Request Body

actual
string
required
The user’s current password. Maximum 128 characters. Returns 400 if it does not match the stored credential.
nueva
string
required
The desired new password. Maximum 128 characters. Must be at least 8 characters long.
This endpoint is available to all authenticated users. It does not require the admin role. The session that made the request remains active; only other concurrent sessions are terminated.

Response

{ "ok": true }

POST /preferencias/tema

Saves the current user’s UI theme preference. The preference is stored per-user and returned on subsequent GET /yo and POST /login calls.
curl -X POST http://localhost:8000/preferencias/tema \
  --cookie "sesion=<token>" \
  -H "Content-Type: application/json" \
  -H "X-CSRF-Token: <csrf>" \
  -d '{"tema": "oscuro"}'

Request Body

tema
string
required
Theme selection. Must be exactly one of:
ValueMeaning
claroLight theme
oscuroDark theme
sistemaFollow the OS/browser preference
Returns 400 for any other value.
This endpoint is available to all authenticated users — no admin role required.

Response

{ "ok": true }

Build docs developers (and LLMs) love