AutoPart Pro uses a role-based access control (RBAC) system built on JWT authentication and a lightweightDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JFKoryy/autopart-pro/llms.txt
Use this file to discover all available pages before exploring further.
authorize middleware. Every registered account is assigned one of three roles — admin, employee, or client — that is stored in the database and embedded in the user’s JWT at login time. On each subsequent request the role is decoded from the token and compared against the list of roles permitted for that endpoint.
The Three Roles
| Role | Intended For | Default |
|---|---|---|
admin | Store owners and managers who need full read/write access | — |
employee | Warehouse staff who can view and adjust stock but not manage accounts | — |
client | End-customers who browse the catalog and place orders | ✅ |
POST /api/auth/register receives the client role automatically. An admin must use PUT /api/users/:id/role to promote accounts to employee or admin.
Role Embedding in JWT
At login, the authentication controller signs a JWT that includes the user’sid, email, and role in its payload. The protect (auth) middleware decodes the token on each request and attaches the decoded payload to req.user, making req.user.role available to every downstream middleware and controller.
The authorize Middleware
backend/src/middleware/roleMiddleware.js exports a higher-order function that accepts any number of allowed role strings and returns an Express middleware:
authorize is always chained after protect so that req.user is guaranteed to be populated when the role check runs. Example from productRoutes.js:
Endpoint Permissions
| Method | Endpoint | Auth | Roles | Notes |
|---|---|---|---|---|
GET | /api/products | No | — | Public catalog read |
GET | /api/products/:id | Yes | Any | Single product detail |
GET | /api/products/low-stock | Yes | Any | Products at or below min_stock |
POST | /api/products | Yes | admin | Create a new product |
PUT | /api/products/:id | Yes | admin | Update a product |
DELETE | /api/products/:id | Yes | admin | Delete a product |
GET | /api/sales | Yes | Any | Admin sees all; employee and client see own orders only |
POST | /api/sales | Yes | Any | Place a new order |
GET | /api/users | Yes | admin | List all user accounts |
PUT | /api/users/:id/role | Yes | admin | Change a user’s role |
DELETE | /api/users/:id | Yes | admin | Delete a user account |
For
GET /api/sales, role filtering is applied in the controller rather than the route definition. The saleController.getSales function checks req.user.role === 'admin' and calls either SaleModel.getAll() or SaleModel.getByUser(req.user.id) accordingly.Admin User Management
The admin panel exposes three user-management operations, all under/api/users and all protected by authorize('admin'):
List Users
GET /api/users returns every account’s id, name, email, and role. The password hash is never included in the response.Change Role
PUT /api/users/:id/role accepts { "role": "admin" | "employee" | "client" }. Any other value returns 400. The controller validates the value before updating the database.Delete User
DELETE /api/users/:id removes the account permanently. An admin cannot delete their own account — passing their own id returns a 400 error.Updating a User’s Role
400):
Role Validation in the Controller
Frontend Enforcement
On the React side, aProtectedRoute component wraps pages that require specific roles. If the authenticated user’s role does not match the route’s requirements they are redirected rather than shown a 403 error page. The Dashboard renders different widgets and navigation items depending on the role stored in AuthContext, so admins see user-management and sales overview panels while clients only see their order history and the catalog.
Related Pages
Inventory Management
See how
authorize('admin') is applied to every product write endpoint.Sales & Checkout
Understand how role determines which sales records a user can retrieve.