Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/vanegasjoseignacio2-cyber/Eco-It/llms.txt

Use this file to discover all available pages before exploring further.

The /api/user router exposes endpoints for authenticated users to manage their own profile, change their password, and permanently delete their account. It also hosts a public endpoint that serves recycling collection point data for the interactive map, and a mirror of the password-recovery flow for convenience on the client side.
All protected endpoints require an Authorization: Bearer <token> header. Tokens are issued by the auth endpoints and expire in 12 hours (login) or 7 days (registration verification).

Profile endpoints

GET /api/user/perfil

Returns the full profile of the currently authenticated user. The password field is never included in the response (select: false at the model level). Authentication: Required. Response
success
boolean
true on success.
data
object
User profile object.
data.id
string
MongoDB _id.
data.nombre
string
First name.
data.apellido
string
Last name.
data.email
string
Email address (lowercase).
data.telefono
string
Phone number.
data.edad
number
Age.
data.avatar
string
URL of the user’s avatar image, or empty string if not set.
data.rol
string
Role: "user", "admin", or "superadmin".
data.status
string
Account status: "active", "inactive", or "banned".
data.banHasta
string | null
ISO 8601 date-time until which the account is banned, or null.
data.banReason
string | null
Human-readable reason for the ban, or null.
data.perfilCompleto
boolean
true when all required profile fields have been filled in.
data.createdAt
string
ISO 8601 account creation timestamp.
curl -X GET https://api.eco-it.app/api/user/perfil \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "id": "665f1a2b3c4d5e6f7a8b9c0d",
    "nombre": "Valentina",
    "apellido": "Ríos",
    "email": "valentina@example.com",
    "telefono": "3001234567",
    "edad": 28,
    "avatar": "https://res.cloudinary.com/eco-it/image/upload/v1/avatars/valentina.jpg",
    "rol": "user",
    "status": "active",
    "banHasta": null,
    "banReason": null,
    "perfilCompleto": true,
    "createdAt": "2024-06-04T15:30:00.000Z"
  }
}

PUT /api/user/perfil

Updates one or more profile fields for the authenticated user. Only the fields included in the request body are modified — omitted fields are left unchanged. Authentication: Required. Request body — all fields are optional; include only those to update.
nombre
string
New first name.
apellido
string
New last name.
telefono
string
New phone number.
edad
number
New age.
avatar
string
URL pointing to the user’s new avatar image (e.g., a Cloudinary URL obtained after a separate upload).
Response
success
boolean
mensaje
string
"Perfil actualizado exitosamente".
data
object
Updated user data: id, nombre, apellido, email, telefono, edad, avatar.
curl -X PUT https://api.eco-it.app/api/user/perfil \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{ "nombre": "Vale", "telefono": "3109876543" }'

{
  "success": true,
  "mensaje": "Perfil actualizado exitosamente",
  "data": {
    "id": "665f1a2b3c4d5e6f7a8b9c0d",
    "nombre": "Vale",
    "apellido": "Ríos",
    "email": "valentina@example.com",
    "telefono": "3109876543",
    "edad": 28,
    "avatar": "https://res.cloudinary.com/eco-it/image/upload/v1/avatars/valentina.jpg"
  }
}

DELETE /api/user/perfil

Permanently deletes the authenticated user’s account. This action is irreversible. An audit log entry is created automatically. Authentication: Required. Request body: None. Response
success
boolean
mensaje
string
"Cuenta eliminada exitosamente".
Account deletion is permanent. All user data, chat history, and saved preferences are removed. Consider warning the user in the UI with a confirmation dialog before calling this endpoint.
curl -X DELETE https://api.eco-it.app/api/user/perfil \
  -H "Authorization: Bearer <token>"

{ "success": true, "mensaje": "Cuenta eliminada exitosamente" }

Password change

PUT /api/user/cambiar-password

Allows an authenticated user to change their own password by supplying the current password for verification. The new password is hashed automatically by the Mongoose pre('save') hook. Authentication: Required.
This endpoint is for authenticated users who know their current password. For unauthenticated password recovery via email code, use the /api/auth/recuperar-password flow or the recovery mirror routes documented below.
Request body
passwordActual
string
required
The user’s current (existing) password in plain text.
passwordNueva
string
required
The desired new password. Minimum 8 characters (enforced by the controller before saving).
Response
success
boolean
mensaje
string
"Contraseña cambiada exitosamente" on success.
curl -X PUT https://api.eco-it.app/api/user/cambiar-password \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{ "passwordActual": "MiClave2024!", "passwordNueva": "MiClaveNueva2025!" }'

{ "success": true, "mensaje": "Contraseña cambiada exitosamente" }
Error cases
ConditionStatusMessage
passwordActual or passwordNueva missing400"Debes proporcionar la contraseña actual y la nueva"
New password fewer than 8 characters400"La nueva contraseña debe tener al menos 8 caracteres"
Current password incorrect401"La contraseña actual es incorrecta"
User not found404"Usuario no encontrado"

Public map points

GET /api/user/map-points

Returns all recycling collection points that are both activo: true and visibleToUser: true. This is the data source for the Eco-It interactive Leaflet map displayed to regular users. Authentication: Not required (public endpoint). Response
success
boolean
puntos
array
Array of processed point objects, sorted newest first.
puntos[].id
string
MongoDB _id of the point.
puntos[].nombre
string
Display name of the collection point.
puntos[].tipo
string
Point category. One of: "recycling", "ecobottle", "truck", "container", "green_zone".
puntos[].lat
number
Latitude coordinate.
puntos[].lng
number
Longitude coordinate.
puntos[].imagen
string
Cloudinary URL of the point’s photo, or empty string.
puntos[].descripcion
string
Short description of the collection point.
curl -X GET https://api.eco-it.app/api/user/map-points

{
  "success": true,
  "puntos": [
    {
      "id": "6660aabb1122334455667788",
      "nombre": "Punto Verde Chapinero",
      "tipo": "recycling",
      "lat": 4.6486,
      "lng": -74.0596,
      "imagen": "https://res.cloudinary.com/eco-it/image/upload/v1/ecoit_map_points/punto_verde.jpg",
      "descripcion": "Punto de reciclaje en el parque principal de Chapinero."
    }
  ]
}
The same data is also available at GET /api/map/points via a dedicated map router. Both endpoints query identical data from the PuntoReciclaje collection. See the Map Endpoints page for full schema documentation.

Password recovery mirror routes

The following recovery routes are mounted on /api/user for client-side convenience. They call the same controller functions as their /api/auth counterparts and behave identically. Refer to the Auth Endpoints page for complete documentation.
MethodPathDescription
POST/api/user/recuperar-passwordSend a 6-digit recovery code to the user’s email.
POST/api/user/verificar-codigoVerify the recovery code (pre-reset validation step).
POST/api/user/reenviar-codigoResend the recovery code (3-minute cooldown).
POST/api/user/restablecer-passwordSet a new password using a valid code.
These routes are public (no JWT required) because the user cannot authenticate when they have forgotten their password.

Error reference

HTTP StatusCause
400Validation error (missing fields, password too short)
401Missing or invalid JWT; incorrect current password
404Authenticated user’s record not found in the database
500Internal server error

Build docs developers (and LLMs) love

Get started for freeTalk to us