backend/middleware/auth.js

// Authentication Middleware

// Require authenticated user
function requireAuth(db) {
    return async (req, res, next) => {
        const sessionId = req.cookies?.session_id;

        if (!sessionId) {
            return res.status(401).json({ error: 'Authentication required' });
        }

        try {
            const session = await new Promise((resolve, reject) => {
                db.get(
                    `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.is_active
                     FROM sessions s
                     JOIN users u ON s.user_id = u.id
                     WHERE s.session_id = ? AND s.expires_at > datetime('now')`,
                    [sessionId],
                    (err, row) => {
                        if (err) reject(err);
                        else resolve(row);
                    }
                );
            });

            if (!session) {
                return res.status(401).json({ error: 'Session expired or invalid' });
            }

            if (!session.is_active) {
                return res.status(401).json({ error: 'Account is disabled' });
            }

            // Attach user to request
            req.user = {
                id: session.user_id,
                username: session.username,
                email: session.email,
                role: session.role,
                group: session.user_group
            };

            next();
        } catch (err) {
            console.error('Auth middleware error:', err);
            return res.status(500).json({ error: 'Authentication error' });
        }
    };
}

// Require specific group(s)
function requireGroup(...allowedGroups) {
    return (req, res, next) => {
        if (!req.user) {
            return res.status(401).json({ error: 'Authentication required' });
        }

        if (!allowedGroups.includes(req.user.group)) {
            return res.status(403).json({
                error: 'Insufficient permissions',
                required: allowedGroups,
                current: req.user.group
            });
        }

        next();
    };
}

module.exports = { requireAuth, requireGroup };
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`// Authentication Middleware`

			`// Require authenticated user`
			`function requireAuth(db) {`
			`return async (req, res, next) => {`
			`const sessionId = req.cookies?.session_id;`

			`if (!sessionId) {`
			`return res.status(401).json({ error: 'Authentication required' });`
			`}`

			`try {`
			`const session = await new Promise((resolve, reject) => {`
			`db.get(`
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.is_active
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`FROM sessions s`
			`JOIN users u ON s.user_id = u.id`
			WHERE s.session_id = ? AND s.expires_at > datetime('now')`,
			`[sessionId],`
			`(err, row) => {`
			`if (err) reject(err);`
			`else resolve(row);`
			`}`
			`);`
			`});`

			`if (!session) {`
			`return res.status(401).json({ error: 'Session expired or invalid' });`
			`}`

			`if (!session.is_active) {`
			`return res.status(401).json({ error: 'Account is disabled' });`
			`}`

			`// Attach user to request`
			`req.user = {`
			`id: session.user_id,`
			`username: session.username,`
			`email: session.email,`
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`role: session.role,`
			`group: session.user_group`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`};`

			`next();`
			`} catch (err) {`
			`console.error('Auth middleware error:', err);`
			`return res.status(500).json({ error: 'Authentication error' });`
			`}`
			`};`
			`}`

feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`// Require specific group(s)`
			`function requireGroup(...allowedGroups) {`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`return (req, res, next) => {`
			`if (!req.user) {`
			`return res.status(401).json({ error: 'Authentication required' });`
			`}`

feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`if (!allowedGroups.includes(req.user.group)) {`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`return res.status(403).json({`
			`error: 'Insufficient permissions',`
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`required: allowedGroups,`
			`current: req.user.group`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`});`
			`}`

			`next();`
			`};`
			`}`

feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`module.exports = { requireAuth, requireGroup };`