Skip to main content
Admin Access Required: All endpoints in this section require ROLE_ADMIN authority. Unauthorized requests will receive a 403 Forbidden response.

Authentication & Authorization

Admin endpoints use a role-based access control (RBAC) system built on Spring Security and JWT authentication.

Role Requirements

Admin endpoints require:
  • Valid JWT token in the Authorization header
  • User account with ROLE_ADMIN authority assigned
The system validates both authentication (valid token) and authorization (admin role) before processing requests.

Security Implementation

Authorization Header Format: 
Authorization: Bearer <jwt_token>
Role Validation: All /api/admin/** routes are protected by the hasAuthority("ROLE_ADMIN") security rule defined in SecurityConfig.java:52. Session Management: Stateless JWT-based authentication (no server-side sessions).

Available Endpoints

Toggle TKOH Collaborator Status

curl -X POST https://api.portfoliohub.com/api/admin/profiles/{profileId}/toggle-collaborator \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json"
Toggle the TKOH Collaborator status for a specific profile. This administrative action marks or unmarks a user as an official collaborator.

Path Parameters

profileId
long
required
The unique identifier of the profile to update

Response

success
boolean
required
Indicates whether the operation completed successfully
message
string
required
Human-readable message describing the result (e.g., “Estado de colaborador actualizado”)
timestamp
string
required
ISO 8601 timestamp of when the response was generated
data
object
required
The updated profile information
data.id
long
Profile unique identifier
data.slug
string
URL-friendly profile identifier
data.fullName
string
User’s full name
data.headline
string
Professional headline or tagline
data.bio
string
Profile biography or description
data.contactEmail
string
Public contact email address
data.location
string
Geographic location
data.avatarUrl
string
URL to the profile avatar image
data.resumeUrl
string
URL to the user’s resume document

Response Example

{
  "success": true,
  "message": "Estado de colaborador actualizado",
  "timestamp": "2026-03-09T15:30:45.123Z",
  "data": {
    "id": 42,
    "slug": "john-doe",
    "fullName": "John Doe",
    "headline": "Full Stack Developer",
    "bio": "Passionate developer with 5+ years of experience...",
    "contactEmail": "[email protected]",
    "location": "San Francisco, CA",
    "avatarUrl": "https://cdn.portfoliohub.com/avatars/john-doe.jpg",
    "resumeUrl": "https://cdn.portfoliohub.com/resumes/john-doe.pdf"
  }
}

Error Responses

403 Forbidden - User lacks admin privileges 
{
  "success": false,
  "message": "Access denied",
  "timestamp": "2026-03-09T15:30:45.123Z",
  "data": null
}
401 Unauthorized - Invalid or missing JWT token 
{
  "success": false,
  "message": "Authentication required",
  "timestamp": "2026-03-09T15:30:45.123Z",
  "data": null
}
404 Not Found - Profile does not exist 
{
  "success": false,
  "message": "Profile not found",
  "timestamp": "2026-03-09T15:30:45.123Z",
  "data": null
}

Access Control Details

User Roles

The system uses a simple role-based model stored in the roles field of the User entity:
  • ROLE_USER: Standard user with access to their own profile management
  • ROLE_ADMIN: Administrator with access to all admin endpoints

JWT Token Claims

Admin authentication tokens include the following claims:
sub
string
required
Subject - the user’s email address
userId
long
required
The user’s database identifier
profileId
long
required
The associated profile identifier
iat
long
required
Issued at timestamp (Unix time)
exp
long
required
Expiration timestamp (Unix time)

Security Filter Chain

The admin endpoints are protected by the following security mechanisms:
  1. JWT Authentication Filter: Validates the JWT token and extracts user details
  2. Authorization Check: Verifies the user has ROLE_ADMIN authority
  3. Stateless Sessions: No server-side session management required

CORS Configuration

Admin endpoints respect the same CORS configuration as other API endpoints:
  • Allowed Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH
  • Allowed Headers: Authorization, Content-Type, Cache-Control
  • Credentials: Supported for authenticated requests

Best Practices

Token Security: Never expose admin JWT tokens in client-side code, logs, or version control. Store tokens securely in environment variables or secure storage.
  1. Token Expiration: Admin tokens expire based on the application.security.jwt.expiration configuration (typically 60 minutes)
  2. Token Refresh: Implement token refresh logic before expiration to maintain admin sessions
  3. Error Handling: Always check the success field in responses and handle errors appropriately
  4. Audit Logging: Consider logging all admin actions for compliance and security auditing
  5. Rate Limiting: Implement rate limiting on admin endpoints to prevent abuse

Source Code Reference

  • Controller: studios/tkoh/portfolio/controller/AdminController.java:20
  • Security Config: studios/tkoh/portfolio/config/SecurityConfig.java:52
  • User Model: studios/tkoh/portfolio/model/User.java:51
  • JWT Service: studios/tkoh/portfolio/security/JwtService.java

Build docs developers (and LLMs) love

Get started for freeTalk to us