The PortalHub backend exposes a set of PHP endpoints that power the full-stack accounting consultancy portal. Every endpoint is a discrete PHP file that accepts JSON request bodies, enforces session-based authentication, and returns a uniform JSON response envelope. The API is organized into functional modules — auth, users, appointments, documents, payments, messages, notifications, reports, and assignments — each living under its own subdirectory insideDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Nieto2020/portalhub/llms.txt
Use this file to discover all available pages before exploring further.
backend/modules/.
Base URL
All requests target the development server at:In a production deployment the base URL changes to match your domain, but the module paths remain identical. Always use HTTPS in production — the session cookie is automatically marked
Secure when the server detects a TLS connection.Response Envelope
Every endpoint — success or error — returnsContent-Type: application/json and a consistent three-field envelope:
| Field | Type | Description |
|---|---|---|
status | integer | Mirrors the HTTP response status code. |
message | string | Human-readable outcome description. |
data | object | null | Payload for successful responses; null when not applicable. |
HTTP Status Codes
| Code | Meaning | When it occurs |
|---|---|---|
200 OK | Request succeeded | Standard success for GET and mutating POST requests. |
201 Created | Resource created | Returned when a new record is successfully inserted (e.g. user registration). |
400 Bad Request | Validation failure | Missing required fields, invalid email format, mismatched passwords, or duplicate unique values. |
401 Unauthorized | Authentication required | No active session, invalid credentials, or session expired after 1 800 seconds of inactivity. |
403 Forbidden | Authorization failure | Insufficient role permissions, inactive user account, or a mandatory password change is pending. |
405 Method Not Allowed | Wrong HTTP verb | An endpoint received a verb it does not handle (e.g. GET on a POST-only route). |
500 Internal Server Error | Server-side fault | Unhandled PDO or database exception. Details are written to the server error log, not exposed to the client. |
Content-Type
All endpoints expectContent-Type: application/json for request bodies and always respond with Content-Type: application/json. Pass a JSON-encoded body for every POST request:
Authentication Model
PortalHub uses server-side PHP sessions ($_SESSION). After a successful login the server creates a session and sends a PHPSESSID cookie to the browser. Every subsequent request to a protected endpoint must include that cookie.
Three roles are defined in config/config.php:
| Constant | Value | Description |
|---|---|---|
ROL_ADMIN | 1 | Full platform access; can register new users. |
ROL_ASESOR | 2 | Advisor-level access to assigned clients. |
ROL_CLIENTE | 3 | Client-level access to own data only. |
checkAuth() middleware validates the session on every protected endpoint. checkRole(array $allowedRoles) extends that check to enforce role membership.
Session Timeout
Sessions expire after 1 800 seconds (30 minutes) of inactivity. Theultima_actividad timestamp in $_SESSION is refreshed on each authenticated request. If the gap between the current time and ultima_actividad exceeds the timeout, the session is destroyed and a 401 is returned.
CSRF Protection
After a successful login a 64-character hex CSRF token is generated withbin2hex(random_bytes(32)) and stored in $_SESSION['csrf_token']. Endpoints that mutate state require this token to be supplied either:
- In the request body as
"csrf_token": "<token>", or - In the
X-CSRF-Tokenrequest header.
GET /auth/csrf_token.php endpoint.
API Modules
Authentication
Login, logout, session checks, CSRF token retrieval, password updates, and admin user registration.
Users
Manage user profiles, roles, status, and account details for admins, advisors, and clients.
Appointments
Schedule, update, and cancel consultancy appointments between advisors and clients.
Documents
Upload, retrieve, and manage accounting documents attached to client files.
Payments
Record and query payment transactions associated with consultancy services.
Messages
Internal messaging between users across all roles within the portal.
Notifications
System-generated and manual notifications delivered to user dashboards.
Reports
Generate and retrieve accounting and activity reports for advisors and administrators.
Assignments
Manage advisor-to-client assignments that control access and visibility within the portal.