Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JFKoryy/autopart-pro/llms.txt

Use this file to discover all available pages before exploring further.

The Users API provides administrators with full control over AutoPart Pro accounts. Admins can list every registered user, promote or demote accounts between the three available roles (admin, employee, client), and permanently delete user accounts. These endpoints are protected by both the protect JWT middleware and the authorize('admin') role-check middleware — any request from a non-admin user is rejected before the controller logic runs.
All endpoints in this section require a valid Bearer token and the admin role. Requests from employee or client accounts will receive a 403 Forbidden response from the role-check middleware.

GET /api/users

Returns the full list of registered accounts. Passwords are never included — the query selects only id, name, email, and role. Use this endpoint to populate the user management table in the admin dashboard.

Example request

curl -X GET https://api.autopartpro.com/api/users \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiNm9sZSI6ImFkbWluIiwiaWF0IjoxNzEwODY0MDAwLCJleHAiOjE3MTA4Njc2MDB9.admintoken"

Responses

success
boolean
true on a successful fetch.
data
array
Array of user objects. Passwords are never returned.
200 — OK
{
  "success": true,
  "data": [
    {
      "id": 1,
      "name": "Admin Principal",
      "email": "admin@autopartpro.com",
      "role": "admin"
    },
    {
      "id": 42,
      "name": "Carlos Mendoza",
      "email": "carlos.mendoza@example.com",
      "role": "client"
    },
    {
      "id": 57,
      "name": "Laura Sánchez",
      "email": "laura.sanchez@autopartpro.com",
      "role": "employee"
    }
  ]
}
401 — No token provided
{
  "message": "No autorizado, no se proporcionó un token."
}
401 — Invalid or expired token
{
  "message": "Token no válido o expirado."
}
403 — Insufficient role
{
  "success": false,
  "message": "Acceso denegado. No se encontraron roles asignados."
}

PUT /api/users/:id/role

Updates the role of an existing user account. The only accepted role values are "admin", "employee", and "client" — any other string returns a 400 validation error before the database is touched. If the target user ID does not exist in the database, a 404 is returned.
Use this endpoint to onboard a new staff member: register them as a client, then promote them to employee or admin via this endpoint.

Path parameters

id
integer
required
The database ID of the user whose role you want to change.

Request body

role
string
required
The new role to assign. Must be one of: "admin", "employee", "client".

Example request

curl -X PUT https://api.autopartpro.com/api/users/42/role \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiNm9sZSI6ImFkbWluIiwiaWF0IjoxNzEwODY0MDAwLCJleHAiOjE3MTA4Njc2MDB9.admintoken" \
  -H "Content-Type: application/json" \
  -d '{ "role": "employee" }'

Responses

success
boolean
true when the role is updated.
message
string
"Rol actualizado correctamente." on success.
200 — OK
{
  "success": true,
  "message": "Rol actualizado correctamente."
}
400 — Invalid role value
{
  "success": false,
  "message": "Rol inválido. Los roles válidos son: admin, employee, client."
}
404 — User not found
{
  "success": false,
  "message": "Usuario no encontrado."
}
403 — Insufficient role
{
  "success": false,
  "message": "Acceso denegado. No se encontraron roles asignados."
}

DELETE /api/users/:id

Permanently deletes a user account from AutoPart Pro. Requires a valid Bearer token with the admin role. An admin cannot delete their own account — the server compares the path id parameter against req.user.id (the ID decoded from the JWT) and returns a 400 if they match.
This action is irreversible. Deleting a user does not cascade-delete their associated sales records — those remain in the sales table and retain the original user_id foreign key value.

Path parameters

id
integer
required
The database ID of the user account to delete. Must not be the same as the authenticated admin’s own ID.

Example request

curl -X DELETE https://api.autopartpro.com/api/users/42 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiNm9sZSI6ImFkbWluIiwiaWF0IjoxNzEwODY0MDAwLCJleHAiOjE3MTA4Njc2MDB9.admintoken"

Responses

success
boolean
true when the account is deleted.
message
string
"Usuario eliminado correctamente." on success.
200 — OK
{
  "success": true,
  "message": "Usuario eliminado correctamente."
}
400 — Attempting to delete own account
{
  "success": false,
  "message": "No puedes eliminar tu propia cuenta."
}
401 — No token provided
{
  "message": "No autorizado, no se proporcionó un token."
}
401 — Invalid or expired token
{
  "message": "Token no válido o expirado."
}
403 — Insufficient role
{
  "success": false,
  "message": "Acceso denegado. No se encontraron roles asignados."
}

Build docs developers (and LLMs) love