Monitor API enforces role-based access control (RBAC) via theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/sheeplettuce/Monitor/llms.txt
Use this file to discover all available pages before exploring further.
rol claim embedded in every JWT. The claim is set at login and cannot be altered by the client. Three roles exist: Administrador, Operador, and Tecnico. Every protected route is guarded by at least one middleware function that compares the token’s rol value against the required permission level.
Role Summary
| Role | Expedientes (create/update) | Expedientes (read) | Expedientes (delete) | Levantamientos (create/read/update) | Levantamientos (delete) | Manage users | Upload evidence | Delete evidence |
|---|---|---|---|---|---|---|---|---|
| Administrador | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Operador | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| Tecnico | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
Role Descriptions
Administrador
Full access to every endpoint in the API. Administrators are the only users who can:- Create new user accounts via
POST /api/auth/register. - Delete expedientes (
DELETE /api/expedientes/:no_siniestro). - Delete uploaded evidence files (
DELETE /api/expedientes/:no_siniestro/evidencias/:id). - Delete levantamiento concepts (
DELETE /api/levantamientos/conceptos/:id_concepto) and full levantamiento records (DELETE /api/levantamientos/:id).
An administrator cannot delete their own account. This guard prevents accidentally locking the system out of all administrative access.
Operador
Broad write access to claim data, but no destructive or user-management operations. Operadores can:- Create, read, and update expedientes.
- Create, read, and update levantamientos and add concepts to them.
- Upload evidence files (
POST /api/expedientes/:no_siniestro/evidencias).
Tecnico
Read access to expedientes and full create/update access to levantamientos, but no destructive operations and no evidence upload. Tecnicos can:- Read any expediente (
GET /api/expedientes,GET /api/expedientes/:no_siniestro). - Create and update levantamiento records (
POST /api/levantamientos,PUT /api/levantamientos/:id). - Add concepts to a levantamiento (
POST /api/levantamientos/:id/conceptos). - Read levantamiento cost totals (
GET /api/levantamientos/:id/costo-total).
Middleware Implementation
Three middleware functions inauth.middleware.ts enforce authentication and authorization. They are designed to be composed as Express route middleware chains.
Reads the
Authorization: Bearer <token> header, verifies the JWT signature and expiry using the server’s JWT_SECRET, and attaches the decoded payload to req.usuario. Returns 401 if the header is absent or the token is invalid.Checks that
req.usuario.rol === "Administrador". Returns 403 with { "error": "Acceso restringido a administradores" } for any other role. Must be placed after verificarToken in the chain.Checks that
req.usuario.rol is either "Administrador" or "Operador". Returns 403 with { "error": "Acceso restringido a administradores y operadores" } for Tecnico tokens. Must be placed after verificarToken in the chain.next():
Usernames cannot contain whitespace. This constraint is validated at both
POST /api/auth/login and POST /api/auth/register — requests where username matches /\s/ are rejected with 400 before any database lookup is performed.