The Eco-It admin panel is a protected area of the platform that gives privileged users full control over users, recycling map points, content moderation notifications, and a complete audit trail of every administrative action. It is accessible at theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/vanegasjoseignacio2-cyber/Eco-It/llms.txt
Use this file to discover all available pages before exploring further.
/admin route and requires the requesting user’s JWT to carry a rol value of either admin or superadmin. Any request made to the /api/admin/* endpoints without one of those roles returns an HTTP 403 Forbidden response from the soloAdmin middleware.
Role Hierarchy
Eco-It uses a three-tier role model enforced on every admin API call by theauthMiddleware.js guards.
| Role | Can access /admin | Can ban / unban / delete users | Can change roles | Can delete notifications & audit logs |
|---|---|---|---|---|
user | ❌ | ❌ | ❌ | ❌ |
admin | ✅ | ✅ | ❌ | ❌ |
superadmin | ✅ | ✅ | ✅ (to user or admin only) | ✅ |
Admin Panel Sections
The admin panel is divided into six functional areas, each backed by dedicated API endpoints:Dashboard & Statistics
KPI cards for total users, online users, AI queries today, and new registrations. Includes bar charts filterable by 7 days, 30 days, and the current year. Powered by
GET /api/admin/stats.User Management
List, search, filter, ban, unban, delete, and change roles for every registered account. Supports real-time online/offline status via Socket.io.
Recycling Map
Full CRUD for geo-referenced recycling collection points. Supports five point types, Cloudinary image uploads, and real-time map updates pushed to all connected users.
Carousel
Manage the promotional image carousel shown on the public-facing home page. Requires admin role.
Audit Logs
A tamper-evident log of every significant admin action (bans, role changes, deletions). Readable by admins, deletable only by superadmin.
Notifications
Real-time alerts generated by EcoBot content moderation (offensive language, obscene images) and by user ban events. Marked per-admin, deletable by superadmin only.
Accessing the Admin Panel
Authenticate
Log in to Eco-It with an account that has
rol: admin or rol: superadmin. The login endpoint returns a JWT signed with JWT_SECRET.Navigate to /admin
Open
/admin in the browser. The frontend reads the role from the decoded token stored in AuthContext. If the role is insufficient, the user is redirected before the request ever reaches the server.Include the JWT on every API call
Every admin API request must carry the token in the The
Authorization header:verificarToken middleware validates the token, fetches the live user document from MongoDB, checks for active bans, and attaches the full user object to req.usuario for downstream controllers.Real-Time Socket.io Integration
The admin panel connects to the Eco-It Socket.io server and joins theadmins room automatically upon authentication. This enables the following live events without any page refresh:
| Event | Direction | Description |
|---|---|---|
admin:usuario_baneado | Server → admin room | Broadcast when any admin bans a user. Carries the notification payload so the Notifications panel updates live. |
admin:audit_update | Server → admin room | Emitted by auditLogger.js every time a new audit log entry is created. Keeps the Audit Logs view current in real time. |
usuario:estado | Server → admin room | Fired when a user connects or disconnects. Updates the online/offline indicator in the Users table. |
map:updated | Server → all clients | Emitted after any recycling point create, update, delete, or toggle. Refreshes the public map for all users simultaneously. |
When a superadmin changes a user’s role to
admin at runtime, the backend immediately calls socket.join('admins') on all of that user’s active socket connections, granting them access to admin-room events without requiring a logout/login cycle.