User API Endpoints — BCGW Dashboard - Breastfeeding Center for Greater Washington Dashboard

Overview

These endpoints manage dashboard user accounts stored in Firestore and Firebase Auth. Users have one of three roles (VOLUNTEER, ADMIN, DIRECTOR) encoded as custom claims on their Firebase Auth token. Role levels determine what operations each user may perform.

Role	Level
`VOLUNTEER`	0
`ADMIN`	1
`DIRECTOR`	2

All endpoints require a valid Firebase Auth ID token. Base URL: https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api

GET /users/all

Returns a list of all registered dashboard users. Auth required: Yes

Example

curl https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api/users/all \
  -H "Authorization: Bearer <id_token>"

Response

Returns a JSON array of User objects.

auth_id

string

Firebase Auth UID for the user.

string

User’s email address.

firstName

string

User’s first name.

lastName

string

User’s last name.

pronouns

string

User’s pronouns (optional).

phone

string

User’s phone number (optional).

type

string

User’s role: "VOLUNTEER", "ADMIN", or "DIRECTOR".

Error codes

Status	Reason
`403`	Missing or invalid auth token

GET /users/id/:auth_id

Returns a single user by their Firebase UID. Auth required: Yes

Path parameters

auth_id

string

required

The Firebase Auth UID of the user to retrieve.

Example

curl https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api/users/id/UID123 \
  -H "Authorization: Bearer <id_token>"

Response

Returns a single User object (same fields as GET /users/all).

Error codes

Status	Reason
`403`	Missing or invalid auth token
`404`	No user found for the given UID

DELETE /users/id/:auth_id

Deletes a user account from both Firestore and Firebase Auth. Auth required: Yes Role-based deletion rules:

Any authenticated user may delete their own account.
A non-DIRECTOR user may only delete users with a strictly lower role level.
A DIRECTOR user may delete any account.
The last remaining DIRECTOR account cannot be deleted; at least one DIRECTOR must always exist.

Path parameters

auth_id

string

required

The Firebase Auth UID of the user to delete.

Example

curl -X DELETE \
  https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api/users/id/UID123 \
  -H "Authorization: Bearer <id_token>"

Response

Returns 200 OK with an empty body on success.

Error codes

Status	Reason
`400`	Missing `auth_id`, or deleting the last DIRECTOR is not allowed
`403`	Insufficient permissions to delete the target user
`404`	No user found for the given UID

PUT /users/me/namepronouns

Updates the authenticated user’s first name, last name, and pronouns in Firestore. Auth required: Yes

Body

firstName

string

required

New first name for the user.

lastName

string

required

New last name for the user.

pronouns

string

New pronouns. If omitted, the field is set to null.

Example

curl -X PUT \
  https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api/users/me/namepronouns \
  -H "Authorization: Bearer <id_token>" \
  -H "Content-Type: application/json" \
  -d '{ "firstName": "Jane", "lastName": "Doe", "pronouns": "she/her" }'

Response

Returns 200 OK with the string "Name and pronouns successfully updated!".

Error codes

Status	Reason
`400`	`firstName` or `lastName` is missing
`403`	Missing or invalid auth token

PUT /users/me/email

Updates the authenticated user’s email address in both Firestore and Firebase Auth. Auth required: Yes — token must have been issued within the last 5 minutes (recent authentication required) The oldEmail in the request body must match the email on the caller’s auth token. This prevents accidental or unauthorized email changes.

Body

oldEmail

string

required

The user’s current email address. Must match the email on the caller’s Firebase Auth token.

newEmail

string

required

The new email address to set.

Example

curl -X PUT \
  https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api/users/me/email \
  -H "Authorization: Bearer <id_token>" \
  -H "Content-Type: application/json" \
  -d '{ "oldEmail": "old@example.com", "newEmail": "new@example.com" }'

Response

Returns 200 OK with the string "Email successfully updated!".

Error codes

Status	Reason
`400`	`oldEmail` or `newEmail` is missing
`401`	`oldEmail` does not match the email on the caller’s auth token
`403`	Missing or invalid auth token, or token is older than 5 minutes

PUT /users/me/phone

Updates the authenticated user’s phone number in both Firestore and Firebase Auth. Auth required: Yes — token must have been issued within the last 5 minutes (recent authentication required)

Body

newPhone

string

required

The new phone number in E.164 format (e.g. +12025551234).

Example

curl -X PUT \
  https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api/users/me/phone \
  -H "Authorization: Bearer <id_token>" \
  -H "Content-Type: application/json" \
  -d '{ "newPhone": "+12025551234" }'

Response

Returns 200 OK with the string "Phone number successfully updated!".

Error codes

Status	Reason
`400`	`newPhone` is missing
`403`	Missing or invalid auth token, or token is older than 5 minutes

PUT /users/id/:id/role

Updates the role of another user. Role changes are reflected in both Firestore and as a Firebase Auth custom claim. Auth required: Yes — ADMIN or DIRECTOR role required Role assignment rules:

A user cannot assign a role higher than their own.
A non-DIRECTOR user can only update the role of users with a strictly lower role level.
A DIRECTOR user may update any user’s role.
The last remaining DIRECTOR account cannot be demoted; at least one DIRECTOR must always exist.
A user may demote their own role (self-demotion), but cannot promote themselves above their current level.

Path parameters

string

required

The Firebase Auth UID of the user whose role is being updated.

Body

role

string

required

The new role to assign. Must be one of "VOLUNTEER", "ADMIN", or "DIRECTOR".

Example

curl -X PUT \
  https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api/users/id/UID456/role \
  -H "Authorization: Bearer <id_token>" \
  -H "Content-Type: application/json" \
  -d '{ "role": "ADMIN" }'

Response

Returns 200 OK with the string "Role updated successfully".

Error codes

Status	Reason
`400`	`role` is missing, invalid, or demoting the last DIRECTOR is not allowed
`403`	Insufficient role to perform this operation, or missing/invalid auth token
`404`	No user found for the given UID

Authentication

Endpoints

User API Endpoints — BCGW Dashboard

Overview

GET /users/all

Example

Response

Error codes

GET /users/id/:auth_id

Path parameters

Example

Response

Error codes

DELETE /users/id/:auth_id

Path parameters

Example

Response

Error codes

PUT /users/me/namepronouns

Body

Example

Response

Error codes

PUT /users/me/email

Body

Example

Response

Error codes

PUT /users/me/phone

Body

Example

Response

Error codes

PUT /users/id/:id/role

Path parameters

Body

Example

Response

Error codes

Build docs developers (and LLMs) love

Authentication

Endpoints

Documentation Index

​Overview

​GET /users/all

​Example

​Response

​Error codes

​GET /users/id/:auth_id

​Path parameters

​Example

​Response

​Error codes

​DELETE /users/id/:auth_id

​Path parameters

​Example

​Response

​Error codes

​PUT /users/me/namepronouns

​Body

​Example

​Response

​Error codes

​PUT /users/me/email

​Body

​Example

​Response

​Error codes

​PUT /users/me/phone

​Body

​Example

​Response

​Error codes

​PUT /users/id/:id/role

​Path parameters

​Body

​Example

​Response

​Error codes

Build docs developers (and LLMs) love

Overview

GET /users/all

Example

Response

Error codes

GET /users/id/:auth_id

Path parameters

Example

Response

Error codes

DELETE /users/id/:auth_id

Path parameters

Example

Response

Error codes

PUT /users/me/namepronouns

Body

Example

Response

Error codes

PUT /users/me/email

Body

Example

Response

Error codes

PUT /users/me/phone

Body

Example

Response

Error codes

PUT /users/id/:id/role

Path parameters

Body

Example

Response

Error codes