Spartans Gym uses a two-role authorization model to separate what staff members can do. Every request to the API must carry a valid JWT Bearer token, and the server verifies the caller’s role before allowing access to any protected resource. Role checks happen at the middleware layer, meaning no route can be reached unless the correct role is present in the decoded token — frontend restrictions alone are never relied upon.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/azahel79/Spartans-gym/llms.txt
Use this file to discover all available pages before exploring further.
Roles
There are exactly two roles in the system, defined as a Prisma enum:| Role | Description |
|---|---|
admin | Full system access including user management, configuration, and financial data |
recepcionista | Day-to-day operations — managing clients, recording attendance, and processing transactions |
recepcionista unless a different role is specified at creation time.
How Authentication Works
Every protected route runs theauthenticate middleware first. It reads the Authorization header, expects a Bearer <token> value, and verifies the JWT with the server secret. The decoded payload is then attached to the request object for downstream middleware and controllers to use.
401 Unauthorized.
Role Enforcement Middleware
Two ready-made middleware exports handle the most common access patterns:requireAdmin allows only users whose token carries role: "admin". requireAnyUser allows either role. Any mismatch returns 403 Forbidden with the body { "success": false, "error": "No tienes permiso para acceder a este recurso" }.
Routes apply these middlewares at the router level so every endpoint in that group is protected uniformly:
Permissions by Feature
The table below shows which HTTP methods are permitted for each role across every major feature area.- Clients
- Plans
- Products
- Transactions & Dashboard
- Admin-Only
| Operation | Method | Endpoint | Admin | Recepcionista |
|---|---|---|---|---|
| List / search clients | GET | /api/clients | ✅ | ✅ |
| Create client | POST | /api/clients | ✅ | ✅ |
| Record attendance | POST | /api/clients/:id/attendance | ✅ | ✅ |
| Renew membership | POST | /api/clients/:id/renew | ✅ | ✅ |
| Edit client | PUT | /api/clients/:id | ✅ | ❌ |
| Delete client | DELETE | /api/clients/:id | ✅ | ❌ |
Frontend Enforcement
The frontend reinforces server-side rules in two ways:PrivateRoute Guard
Admin-only pages such as
/config are wrapped in a PrivateRoute component that checks the authenticated user’s role. A receptionist navigating directly to that URL is redirected before the page renders.Conditional UI Elements
Edit and delete buttons throughout the interface are conditionally rendered based on
user.role. Receptionists see read-only views of plans, products, and client profiles without action controls.Changing a User’s Role
An admin can promote or demote any other user by sending aPATCH request to the role endpoint:
role are "admin" and "recepcionista". Any other value returns 400 Bad Request.