Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JDzuu/AplicativoWEB_GestorFinanciero/llms.txt

Use this file to discover all available pages before exploring further.

The Gestor Financiero REST API is built with FastAPI and served by uvicorn. It exposes a JSON-based interface that the React/Vite frontend consumes to manage financial projects, payments, expenses, budgets, and users for small businesses. Every route — except /login and the interactive-docs endpoints — requires an active session, and all state-changing requests are protected by a CSRF token verified server-side.

Base URL

EnvironmentURL
Developmenthttp://localhost:8000
Frontend overrideConfigurable via the VITE_API_URL environment variable in the frontend
The frontend reads import.meta.env.VITE_API_URL at build time and falls back to http://localhost:8000 when the variable is not set.

Content Type

All requests must send a Content-Type: application/json header and a JSON body where applicable. All successful responses are returned as application/json. The only exceptions are the PDF-export endpoints (/proyectos/{id}/pdf and /presupuestos/{id}/pdf), which return application/pdf.

Authentication Model

The API uses session cookies — no API keys or Bearer tokens are required in normal usage. On a successful POST /login the server sets two cookies:
  • sesion — an HttpOnly cookie that carries the session token. The browser attaches it automatically to every subsequent request.
  • csrftoken — a JavaScript-readable cookie used for CSRF protection on mutating requests.
See the Authentication page for full details.

Interactive Documentation

Swagger UI and ReDoc are available in development mode only. They are automatically disabled when the ENTORNO environment variable is set to produccion.
URLInterface
/docsSwagger UI (try-it-out)
/redocReDoc (read-only reference)
/openapi.jsonRaw OpenAPI schema
All three interactive-docs URLs return 404 in production (ENTORNO=produccion). Do not rely on them in deployed environments.

Error Response Format

All error responses return a JSON object with a detail field:
{ "detail": "Error message here" }
For Pydantic validation errors (HTTP 422), detail is an array of objects rather than a plain string:
{
  "detail": [
    {
      "loc": ["body", "monto"],
      "msg": "value is not a valid decimal",
      "type": "type_error.decimal"
    }
  ]
}
The frontend unwraps both formats automatically, joining multiple validation messages into a single user-facing string.

HTTP Status Codes

CodeMeaning
200Success
400Bad request / business-logic validation error
401Not authenticated (missing or expired session)
403Forbidden — wrong role or CSRF token failure
404Resource not found
413Request body too large (default limit: 1 MB)
422Unprocessable entity — Pydantic input validation failure
429Rate limit exceeded or brute-force lockout
500Internal server error

Rate Limits

The API uses SlowAPI to enforce per-IP rate limits. Limits are applied globally via middleware and can be overridden with environment variables.
ScopeDefaultEnvironment variable
All routes120 requests / minuteRATE_LIMIT_GENERAL
POST /login10 requests / minuteRATE_LIMIT_LOGIN
When a limit is exceeded the API returns HTTP 429 with:
{ "detail": "Demasiadas peticiones. Espera un momento e inténtalo de nuevo." }
For Redis-backed rate limiting in multi-worker deployments, set the RATE_LIMIT_STORAGE environment variable to a redis:// connection string. The default storage is in-memory (memory://), which is not shared across processes.

Security Headers

Every response includes a standard set of security headers regardless of environment:
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: no-referrer
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • Cross-Origin-Opener-Policy: same-origin
  • Cross-Origin-Resource-Policy: same-origin
In production (ENTORNO=produccion), two additional headers are added:
  • Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none'
  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

CORS

Cross-Origin Resource Sharing is configured to allow requests from the frontend origins. The default allowed origins are http://localhost:5173 and http://127.0.0.1:5173. In production, set the ORIGENES_PERMITIDOS environment variable to a comma-separated list of allowed origins. Credentials (cookies) are always included in the CORS policy (allow_credentials=True).
CORS settingValue
Allowed origins (default)http://localhost:5173, http://127.0.0.1:5173
Env variable to overrideORIGENES_PERMITIDOS (comma-separated)
Allowed methodsGET, POST, PUT, DELETE, OPTIONS
Allowed headersAuthorization, Content-Type, X-CSRF-Token
Credentialstrue
Preflight cache (max_age)600 seconds

Endpoint Groups

Authentication

Login, logout, session management, CSRF tokens, and brute-force protection.

Projects

Create, read, update, and manage the full lifecycle of financial projects.

Finances

Record and manage incoming payments (entradas) and outgoing expenses (salidas) per project.

Budgets

Build itemized budget quotes, convert them to active projects, and export PDF cotizaciones.

Users

Admin-only user management: create, edit, reset passwords, and delete user accounts.

Analysis

Aggregate financial indicators for closed projects, filterable by year, month, or quarter.

Build docs developers (and LLMs) love