Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/sheeplettuce/Monitor/llms.txt

Use this file to discover all available pages before exploring further.

Monitor API enforces role-based access control (RBAC) via the rol claim embedded in every JWT. The claim is set at login and cannot be altered by the client. Three roles exist: Administrador, Operador, and Tecnico. Every protected route is guarded by at least one middleware function that compares the token’s rol value against the required permission level.

Role Summary

RoleExpedientes (create/update)Expedientes (read)Expedientes (delete)Levantamientos (create/read/update)Levantamientos (delete)Manage usersUpload evidenceDelete evidence
Administrador
Operador
Tecnico

Role Descriptions

Administrador

Full access to every endpoint in the API. Administrators are the only users who can:
  • Create new user accounts via POST /api/auth/register.
  • Delete expedientes (DELETE /api/expedientes/:no_siniestro).
  • Delete uploaded evidence files (DELETE /api/expedientes/:no_siniestro/evidencias/:id).
  • Delete levantamiento concepts (DELETE /api/levantamientos/conceptos/:id_concepto) and full levantamiento records (DELETE /api/levantamientos/:id).
An administrator cannot delete their own account. This guard prevents accidentally locking the system out of all administrative access.

Operador

Broad write access to claim data, but no destructive or user-management operations. Operadores can:
  • Create, read, and update expedientes.
  • Create, read, and update levantamientos and add concepts to them.
  • Upload evidence files (POST /api/expedientes/:no_siniestro/evidencias).
Operadores cannot delete expedientes, delete individual evidence files, delete levantamiento records, or create/manage other user accounts.

Tecnico

Read access to expedientes and full create/update access to levantamientos, but no destructive operations and no evidence upload. Tecnicos can:
  • Read any expediente (GET /api/expedientes, GET /api/expedientes/:no_siniestro).
  • Create and update levantamiento records (POST /api/levantamientos, PUT /api/levantamientos/:id).
  • Add concepts to a levantamiento (POST /api/levantamientos/:id/conceptos).
  • Read levantamiento cost totals (GET /api/levantamientos/:id/costo-total).
Tecnicos cannot create or update expedientes, upload or delete evidence files, delete any levantamiento records or concepts, or manage user accounts.

Middleware Implementation

Three middleware functions in auth.middleware.ts enforce authentication and authorization. They are designed to be composed as Express route middleware chains.
verificarToken
middleware
Reads the Authorization: Bearer <token> header, verifies the JWT signature and expiry using the server’s JWT_SECRET, and attaches the decoded payload to req.usuario. Returns 401 if the header is absent or the token is invalid.
soloAdmin
middleware
Checks that req.usuario.rol === "Administrador". Returns 403 with { "error": "Acceso restringido a administradores" } for any other role. Must be placed after verificarToken in the chain.
soloAdminOOperador
middleware
Checks that req.usuario.rol is either "Administrador" or "Operador". Returns 403 with { "error": "Acceso restringido a administradores y operadores" } for Tecnico tokens. Must be placed after verificarToken in the chain.
Middleware functions are chained directly in the route definition. The request only reaches the controller if every middleware in the chain calls next():
// Only Administradores can delete an expediente
router.delete('/:no_siniestro', verificarToken, soloAdmin, eliminarExpediente);

// Administradores and Operadores can create an expediente
router.post('/', verificarToken, soloAdminOOperador, crearExpediente);

// All authenticated users (including Tecnico) can read expedientes
router.get('/:no_siniestro', verificarToken, obtenerExpediente);

// All authenticated users (including Tecnico) can create levantamientos
router.post('/levantamientos', crearLevantamiento); // verificarToken applied via router.use()

// Only Administradores can delete a levantamiento or a concept
router.delete('/levantamientos/:id', soloAdmin, eliminarLevantamiento);
router.delete('/levantamientos/conceptos/:id_concepto', soloAdmin, eliminarConcepto);
Usernames cannot contain whitespace. This constraint is validated at both POST /api/auth/login and POST /api/auth/register — requests where username matches /\s/ are rejected with 400 before any database lookup is performed.

Build docs developers (and LLMs) love