Use this file to discover all available pages before exploring further.
The Users API provides administrators with full control over AutoPart Pro accounts. Admins can list every registered user, promote or demote accounts between the three available roles (admin, employee, client), and permanently delete user accounts. These endpoints are protected by both the protect JWT middleware and the authorize('admin') role-check middleware — any request from a non-admin user is rejected before the controller logic runs.
All endpoints in this section require a valid Bearer token and the admin role. Requests from employee or client accounts will receive a 403 Forbidden response from the role-check middleware.
Returns the full list of registered accounts. Passwords are never included — the query selects only id, name, email, and role. Use this endpoint to populate the user management table in the admin dashboard.
Updates the role of an existing user account. The only accepted role values are "admin", "employee", and "client" — any other string returns a 400 validation error before the database is touched. If the target user ID does not exist in the database, a 404 is returned.
Use this endpoint to onboard a new staff member: register them as a client, then promote them to employee or admin via this endpoint.
Permanently deletes a user account from AutoPart Pro. Requires a valid Bearer token with the admin role. An admin cannot delete their own account — the server compares the path id parameter against req.user.id (the ID decoded from the JWT) and returns a 400 if they match.
This action is irreversible. Deleting a user does not cascade-delete their associated sales records — those remain in the sales table and retain the original user_id foreign key value.