Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/edgar2420/QrPermision/llms.txt

Use this file to discover all available pages before exploring further.

Permissions are the transactional records at the heart of PermisosQR. Every time a QR code is activated for an exit, a permission row is created with an exit_time and an allowed_minutes budget. When the bearer returns, the same record is updated with return_time, time_used_minutes, delay_minutes, and the boolean is_compliant flag. All four endpoints below require a valid Bearer token; operators using the admin_operator role can only see permissions they personally enabled.

POST /api/permissions/enable

Creates a new permission record and atomically sets the associated QR code to active. The authenticated user is recorded as enabled_by. The QR must be in available status; any other status returns a 400. Auth required: Bearer
qrId
integer
required
Numeric ID of the QR code to activate. Must currently have available status.
receivedBy
string
required
Full name of the person receiving the exit pass (e.g. employee or visitor).
allowedMinutes
integer
Time budget in minutes. Defaults to 15 if omitted.
notes
string
Optional free-text note attached to this permission (reason for exit, destination, etc.).
Response 201
{
  "success": true,
  "data": {
    "id": 143,
    "qr_id": 7,
    "enabled_by": 2,
    "received_by": "Juan Pérez",
    "returned_by": null,
    "allowed_minutes": 20,
    "exit_time": "2024-01-15T14:30:00.000Z",
    "return_time": null,
    "time_used_minutes": null,
    "delay_minutes": null,
    "is_compliant": null,
    "notes": "Recado en farmacia",
    "created_at": "2024-01-15T14:30:00.000Z"
  }
}
Error responses
StatusCondition
400qrId or receivedBy missing; or QR is not in available status
401Bearer token missing or invalid
404No QR code found with the given qrId
curl -X POST http://localhost:4000/api/permissions/enable \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "qrId": 7,
    "receivedBy": "Juan Pérez",
    "allowedMinutes": 20,
    "notes": "Recado en farmacia"
  }'

POST /api/permissions/return

Closes an open permission by recording the return time and computing compliance metrics. The authenticated user is stored as returned_by. After the update, the associated QR code is atomically set back to available. Compliance formula:
time_used_minutes = (return_time − exit_time) / 60 000   [ms → min]
delay_minutes     = max(0, time_used_minutes − allowed_minutes)
is_compliant      = delay_minutes <= 0
Auth required: Bearer
qrId
integer
required
Numeric ID of the QR code to mark as returned. Must currently be active.
notes
string
Optional note appended to the permission record on return (e.g. reason for delay). If a note was set at enable time, this value is merged via COALESCE.
Response 200 — Full updated Permission object (same shape as POST /api/permissions/enable response, now with all computed fields populated). Error responses
StatusCondition
400qrId missing; or QR is not currently active
404QR not found, or no open permission record found for that QR

GET /api/permissions/history

Returns a paginated, filterable audit log of all permission records. Operators with the admin_operator role automatically receive only records they personally enabled (enabled_by = req.user.id). Super Admins see all records. Auth required: Bearer
page
integer
Page number. Defaults to 1.
limit
integer
Records per page. Defaults to 20.
qrId
integer
Filter to permissions belonging to a specific QR code.
startDate
string
ISO 8601 date-time. Filters created_at >= startDate.
endDate
string
ISO 8601 date-time. Filters created_at <= endDate 23:59:59.
isCompliant
string
Pass true or false to filter by compliance status. Omit to return both.
Response 200
{
  "success": true,
  "data": [
    {
      "id": 143,
      "qr_id": 7,
      "qr_status": "available",
      "enabled_by": 2,
      "enabled_by_name": "Ana Torres",
      "received_by": "Juan Pérez",
      "returned_by": 2,
      "returned_by_name": "Ana Torres",
      "allowed_minutes": 20,
      "exit_time": "2024-01-15T14:30:00.000Z",
      "return_time": "2024-01-15T14:50:00.000Z",
      "time_used_minutes": "20.00",
      "delay_minutes": "0.00",
      "is_compliant": true,
      "notes": null,
      "created_at": "2024-01-15T14:30:00.000Z"
    }
  ],
  "total": 143,
  "page": 1,
  "limit": 20,
  "pages": 8
}
The history response includes a qr_status field (from the joined qr_codes table) that is not present on the enable/return response objects. It reflects the QR’s current status, not the status at the time the permission was created.
curl "http://localhost:4000/api/permissions/history?page=1&limit=10&isCompliant=false&startDate=2024-01-01" \
  -H "Authorization: Bearer <token>"

DELETE /api/permissions/:id

Permanently removes a permission record from the database. If the deleted permission was still open (no return_time), the associated QR code is automatically reset to available. Restricted to Super Admins. Auth required: Bearer — Super Admin only Path parameter: id — integer permission record ID Response 200
{ "success": true, "message": "Registro eliminado permanentemente" }
Error responses
StatusCondition
403Authenticated user is not a Super Admin
404No permission record with the given ID exists
Deleting an active permission (one with no return_time) will silently set the associated QR back to available. Ensure this is intentional before proceeding — there is no undo.

Build docs developers (and LLMs) love