Credith enforces a role-based access control (RBAC) model across both its Express.js API and its React dashboard. Every authenticated user carries one of three roles —Documentation Index
Fetch the complete documentation index at: https://mintlify.com/RoyGeova07/Credith/llms.txt
Use this file to discover all available pages before exploring further.
OWNER, ADMIN, or EMPLOYEE — and that role determines which menu items are visible in the sidebar, which API routes can be called, and which store-scoped data is returned. Roles are stored in the database and evaluated at runtime on each request.
The Three Roles
Roles are defined as a frozen constant inService/helper/roles.js and mirrored in the frontend Website/src/helpers/permissions.js:
OWNER
Full platform access. Manages stores, employees, CAI authorizations, checkout machines, categories, products, sales, reports, credit plans, and invoices. Sees data across all stores in the company.
ADMIN
Store-level manager. Can process sales, manage products, view credit plans and invoices. Data is automatically scoped to their assigned store (
req.user.storeId).EMPLOYEE
Front-line cashier. Can view credit plans, invoices, and the home dashboard. Bills are scoped to their own
userId when listing invoices.Dashboard Menu Permissions
ThemenuItems array in permissions.js controls which sidebar links each role can see. Items not in a user’s roles array are hidden automatically by the frontend.
| Menu Key | Label (ES) | Path | Roles Allowed |
|---|---|---|---|
home | Inicio | / | OWNER, ADMIN, EMPLOYEE |
stores | Tiendas | /admin/stores | OWNER |
cai | CAI | /admin/cai | OWNER |
employees | Empleados | /admin/employees | OWNER |
machines | Cajas | /admin/machines | OWNER |
sales | Ventas | /cart | OWNER, ADMIN |
products | Productos | /products | OWNER, ADMIN |
categories | Categorias | /owner/category | OWNER |
creditPlans | Planes de credito | /credit-plans | OWNER, ADMIN, EMPLOYEE |
invoices | Facturas | /bills | OWNER, ADMIN, EMPLOYEE |
reports | Reportes | /reports | OWNER |
How Authentication Works
TheauthMiddleware in Service/middlewares/authMiddleware.js protects routes by reading a JWT from the token cookie attached to the request:
req.user and is available to all downstream middleware and controllers. The role field on req.user defaults to ROLE.EMPLOYEE if missing.
How Role Enforcement Works
TheroleMiddleware factory in Service/middlewares/roleMiddleware.js wraps any route that needs role-gating. It is called with one or more allowed roles and returns a middleware function:
Role Assignment in the Database
Roles are stored in aroles table and linked to users through a many-to-many junction table users_roles. Each record in users_roles associates a user_id with a role_id.
Most API endpoints in Credith are currently unauthenticated — no JWT is required to call them. Only three user-management routes enforce the
authMiddleware + roleMiddleware stack:PUT /api/users/desactivate/:id— deactivate a user (OWNER only)PUT /api/users/activate/:id— reactivate a user (OWNER only)PUT /api/users/update-password— change the authenticated user’s own password
Bill Visibility by Role
The role system also scopes data returned fromGET /api/bills. Controllers inspect req.user.role at runtime:
| Role | Bills Visible |
|---|---|
OWNER | All bills across all stores |
ADMIN | Only bills where store_id = req.user.storeId |
EMPLOYEE | Only bills where user_id = req.user.id |
GET /api/payment-plan/pending-payments endpoint, where non-owner users see only payments linked to their store.