Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JaiderT/CoffeePrice/llms.txt

Use this file to discover all available pages before exploring further.

CoffePrice is built around three distinct user roles — productor, comprador, and admin — each with its own dashboard, access level, and workflow. Understanding which role you belong to determines what you can see, what API endpoints you can call, and what account states apply to your registration. This page explains the full permission model so you can navigate the platform with confidence.

Roles at a Glance

RoleDescriptionEstado on registrationDashboard route
productorCoffee farmer who tracks prices, predictions, and alertsactivo immediately/dashboard
compradorCoffee buyer who publishes purchase prices and appears on the regional mappendiente until admin approves/comprador/dashboard
adminPlatform administrator who manages users, news, reviews, and configurationN/A (created directly)/admin/dashboard

Account States

Every user account carries an estado field that controls what actions the user can take. The five possible values are:
EstadoMeaningEffect
activoAccount is fully activeFull access to all routes permitted for the role
pendienteAccount is awaiting review or email verificationCompradores in this state can only access /api/comprador and auth endpoints
rechazadoRegistration was rejected by an adminAccess is blocked; only logout and /api/auth/me are reachable
eliminadoAccount has been soft-deletedAll protected routes return 403; account no longer appears in listings
suspendidoAccount was voluntarily suspended by the userBlocked from all routes except reactivation (/api/usuario/reactivar) and logout
A suspended user can self-reactivate via PUT /api/usuario/reactivar without admin intervention. A rejected or eliminated user must contact an admin.

How Authentication Works

CoffePrice uses JWT-based authentication. The token is issued at login and stored as an HTTP-only cookie named auth_token. For API clients that cannot use cookies, the token can also be sent in the Authorization header as a Bearer token.

authMiddleware

authMiddleware.js runs on every protected route. It:
  1. Reads the JWT from req.cookies.auth_token, then falls back to req.headers.authorization.
  2. Verifies the token against JWT_SECRET and fetches the live _id, rol, and estado from the database.
  3. Attaches req.user = { id, rol, estado } for downstream middleware and controllers.
  4. Returns 401 if the token is missing, invalid, or expired.
  5. Returns 403 if the user’s estado is rechazado, eliminado, or suspendido and the requested route is not on the allow-list for that state.

rolMiddleware

rolMiddleware.js is a factory that accepts one or more role strings and produces an Express middleware: 
// Only admins may access this route
router.get("/", authMiddleware, rolMiddleware("admin"), getusuario);

// Both compradores and admins may access this route
router.put("/:id", authMiddleware, updatecomprador);
It reads req.user.rol (set by authMiddleware) and returns 403 if the role is not in the permitted list.

Route Protection Overview

The table below summarises which role and estado combination is required for the most important API endpoints.
EndpointMethodRequired roleNotes
/api/auth/loginPOSTPublic
/api/auth/registerPOSTPublic
/api/auth/meGETAny authenticatedWorks for all estados
/api/auth/logoutPOSTAny authenticatedWorks for all estados
/api/usuarioGETadminLists all users
/api/usuario/:id/estadoPUTadminChange any user’s estado
/api/usuario/:id/actualizarPUTadminUpdate any user’s data
/api/usuario/:idDELETEadminSoft-delete a user
/api/usuario/perfilPUTAny authenticated, activoSelf-service profile update
/api/usuario/passwordPUTAny authenticated, activoSelf-service password change
/api/usuario/suspenderPUTAny authenticatedSelf-suspend own account
/api/usuario/reactivarPUTsuspendido userReactivate own account
/api/compradorGETadminLists all buyers
/api/compradorPOSTcompradorCreate buyer profile
/api/comprador/mapaGETPublicApproved buyers only
/api/comprador/:idPUTOwner or adminUpdate buyer profile
/api/comprador/:idDELETEadminDelete buyer
/api/preciosGETPublicFNC and buyer prices
/api/prediccionesGETPublicNext-day FNC prediction
/api/alertas/usuario/:idGETOwnerOwn alerts
/api/alertasPOSTproductor or adminCreate price alert
/api/noticiasPOSTadminCreate news article
/api/configuracionPUTadminUpdate platform settings

Learn More About Each Role

Producer

How caficultores register, track prices, set alerts, and manage their accounts.

Buyer

How compradores register, complete their profile, publish prices, and appear on the map.

Admin

How admins approve buyers, manage users, moderate content, and configure the platform.

Build docs developers (and LLMs) love

Get started for freeTalk to us