The api files are located in /api
The structure of these files is simple; there are a list of endpoints that connect directly to the relevant controller method.
Each controller call is wrapped in a HOC (higher order component) called use. This is a middleware function that catches any errors in the controller methods, and then passes these to a global error handler – this prevents you from having to use try...catch in your application.
You can protect any API route and make it accessible to only a specific user level using the auth.verify middleware method. You simply pass the user permission as a parameter.
api.get('/api/user', auth.verify('user'), use(userController.get));
Find out more about how authentication works in the next section.