AllDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Medinaallan/ContabilidadISV/llms.txt
Use this file to discover all available pages before exploring further.
/api/admin endpoints require a valid JWT token and role='admin'.
The authenticateToken middleware validates the JWT first; the requireRole(['admin']) middleware then enforces the role restriction on every route in this group. These endpoints expose system-level operations — security monitoring and direct database management — that must not be accessible to standard users.
POST /api/admin/validate-system-password
Validates the system configuration password defined in theADMIN_SYSTEM_CONFIG_PASSWORD environment variable. This password gates access to sensitive configuration screens in the frontend without requiring a separate credential store. Both successful and failed attempts are recorded in the audit log.
Request body
The system configuration password to validate. Compared directly against
the
ADMIN_SYSTEM_CONFIG_PASSWORD environment variable (plain-text
comparison — ensure this variable is kept secret and not checked into
source control).200 OK on match, 401 Unauthorized on mismatch.
true when the password matches.true when the password matches; false when it does not. The HTTP status
code mirrors this: 200 for true, 401 for false.| Status | Reason |
|---|---|
400 | password field missing from request body |
401 | Password does not match ADMIN_SYSTEM_CONFIG_PASSWORD |
500 | ADMIN_SYSTEM_CONFIG_PASSWORD not set in server environment |
GET /api/admin/security-stats
Returns real-time security statistics collected by the in-memory security middleware. Stats include tracked IP addresses, currently blocked IPs, per-IP suspicion scores, and failed login attempt counts.Security stats are held in process memory and are reset when the
backend process restarts (e.g. after a deployment or server reboot). They
are not persisted to the database.
Always
true on a successful response.Current security state captured by the middleware. Fields vary by
middleware implementation but typically include:
ISO 8601 timestamp of when the stats snapshot was taken (
new Date().toISOString()).POST /api/admin/backup
Creates a full snapshot of a database table by runningSELECT * INTO dbo.<table>_backup_YYYYMMDD FROM dbo.<table>. The backup
table name includes today’s date so multiple backups on different days do not
conflict. The row count of the new backup table is returned in the response
and the operation is recorded in the audit log.
Allowed tables: consolidaciones_generales, consolidaciones_hoteles,
clientes, users, system_logs, uploaded_files.
Request body
Name of the source table to back up. Must be one of the allowed tables
listed above. Any other value returns
400 Bad Request.true on successful backup creation.Name of the newly created backup table (e.g.
"consolidaciones_generales_backup_20240710").Number of rows copied into the backup table.
| Status | Reason |
|---|---|
400 | table field missing or not in the allowed list |
403 | Caller does not have admin role |
500 | Database error during the SELECT INTO operation |
POST /api/admin/delete
Deletes all records from a database table usingDELETE FROM dbo.<table>,
executed inside a transaction that is automatically rolled back if an error
occurs. Optionally creates a backup first. Both the backup step and the
deletion are recorded in the audit log.
Allowed tables: consolidaciones_generales, consolidaciones_hoteles,
clientes, users, system_logs, uploaded_files.
Request body
Name of the table to clear. Must be one of the allowed tables listed above.
When
true, a dated backup table is created (identical to calling
POST /api/admin/backup) before the delete runs. Strongly recommended.
Defaults to false when omitted.true on successful deletion.Always
true when the operation completes without error.Name of the backup table created before deletion (e.g.
"clientes_backup_20240710"), or null if backupBefore was false.| Status | Reason |
|---|---|
400 | table field missing or not in the allowed list |
403 | Caller does not have admin role |
500 | Database error; transaction is rolled back automatically |
Related pages
- Configuration → Security —
ADMIN_SYSTEM_CONFIG_PASSWORDand security middleware settings - Configuration → Environment — full environment variable reference
- System Logs API — audit trail entries created by backup and delete operations
- Configuration → Database — database connection and table structure
- Deployment → Web — notes on process restarts and in-memory state