MultiSas is a Node.js/Express REST API backend designed to power multi-business SaaS platforms. Built on MongoDB with Mongoose, it lets you run an unlimited number of companies (tenants) on a single deployment — each one fully isolated byDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/fredy-rizo/MultiSas/llms.txt
Use this file to discover all available pages before exploring further.
company_id. Every request is secured with JSON Web Tokens, and access to advanced features is gated behind subscription plans, making MultiSas an ideal engine for SaaS products that serve sublimation shops, restaurants, pharmacies, accounting firms, and HR departments from a single codebase.
Modules
MultiSas ships five first-class business modules, each with its own set of REST endpoints, models, and middleware guards.Sublimation
Manage suppliers, clients, sales, orders (pedidos), production runs, briefcases, employees, and payroll rosters for sublimation print shops.
Restaurant
Handle product categories, menu items, tables, deliveries, restaurant orders, and charges for food service businesses.
Pharmacy
Track pharmaceutical products, clients, and sales with batch-level counters and inventory controls for dispensaries and drug stores.
Accounting
Maintain a full chart of accounts (cuenta contable) and structured account plans for double-entry bookkeeping and financial reporting.
HR & Payroll
Manage employee records, payroll rosters, detailed payroll calculations, and payroll concepts including accruals, deductions, and transport allowances.
Architecture
Multi-Tenancy
Every resource in MultiSas is scoped to acompany_id. When a company registers, a dedicated Company document is created in MongoDB and assigned a unique _id. All subsequent resources — employees, sales, products, orders — reference that _id so that queries never cross tenant boundaries. A Super Admin account (with role_user: "Super Admin") sits above all tenants and can manage plans and company settings across the entire platform.
JWT Middleware Stack
MultiSas uses a layered middleware pipeline defined insrc/core/middleware/tools/Token.js. Incoming requests carry a JWT in the token-access header. The middleware verifies the token against the SECRET environment variable, resolves the caller’s identity from MongoDB, and populates req.user before the request reaches the controller. There are five middleware functions — Token, TokenUserCompany, TokenAny, TokenAuthorize, and TokenValidationPlan — that can be composed per route to enforce company-admin access, sub-user access, mixed access, role restrictions, and plan gating respectively. See the Authentication page for a full breakdown.
Plan Enforcement
EachCompany document carries an available_plans field ("Plan Basico", "Plan Profesional", "Plan Premium", "Plan Personalizado", or "Sin Plan") alongside type_available_plans ("Mensual", "Anual", or "Permanente") and expired_available_plans. The TokenValidationPlan(feature) middleware reads a plan.json feature map and rejects requests from companies whose plan does not include the requested feature, returning HTTP 403 with {"msj": "Tu plan no permite usar esta funcion", "status": false}.
Key Features
- Multi-tenancy — every document is scoped to a
company_id; tenants never share data. - JWT Role-Based Access Control — five composable middleware functions enforce identity, role, and plan at the route level.
- Plan-gated features —
TokenValidationPlanblocks access to premium endpoints for companies on lower-tier plans. - Automatic bill numbering — each
Companydocument holds acountersmap that auto-increments invoice and document numbers across all modules (sales, briefcases, production runs, pharmacy batches, etc.). - Paginated list endpoints — list routes accept optional
:pagand:perpageURL parameters and return apaginationobject (pag,perpage,pags) alongside the data array.
Tech Stack
| Layer | Technology |
|---|---|
| Runtime | Node.js (ESM, "type": "module") |
| Framework | Express 4 (^4.18.2) |
| Database | MongoDB via Mongoose 8 (^8.7.3) |
| Authentication | jsonwebtoken (^9.0.2) |
| Password hashing | bcrypt (^5.1.1) |
| Environment | dotenv (^16.3.1) |
| Logging | morgan (^1.10.0) — dev format |
| CORS | cors (^2.8.5) |
| Dev server | nodemon (^3.0.1) via npm run dev |