Admin Dashboard
The admin module exposes management endpoints for users. All routes are protected by both JwtAuthGuard and AdminGuard.
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /admin/users | List users (paginated, filterable, sortable) |
| GET | /admin/users/:id | Get a single user by ID |
| PATCH | /admin/users/:id | Update a user |
| DELETE | /admin/users/:id | Delete a user |
User Listing
GET /admin/users accepts the following query parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
page | integer | 1 | Page number (min 1) |
limit | integer | 20 | Items per page (1-100) |
search | string | -- | Search by email or name |
status | string | -- | active or inactive (subscription status) |
sortBy | string | createdAt | Sort field: createdAt, email, or name |
sortOrder | string | desc | asc or desc |
Access Control
AdminGuard
The AdminGuard checks the systemRole field on the authenticated user. Only users with ADMIN or SUPER_ADMIN system roles are allowed through.
@UseGuards(JwtAuthGuard, AdminGuard)
@Controller('admin')
export class AdminController { ... }
SUPER_ADMIN Privilege
The PATCH /admin/users/:id endpoint accepts a systemRole field, but only a SUPER_ADMIN can change another user's system role. If a regular ADMIN attempts this, the API returns 403 Forbidden.
Extending the Admin Module
To add new admin endpoints (e.g., subscription metrics, impersonation):
- Add a method to
AdminService. - Add a route to
AdminController-- the class-level guards (JwtAuthGuard,AdminGuard) apply automatically. - For
SUPER_ADMIN-only operations, add an explicit check inside the handler as shown in theupdateUsermethod.