// Authentication Middleware // Require authenticated user function requireAuth(db) { return async (req, res, next) => { const sessionId = req.cookies?.session_id; if (!sessionId) { return res.status(401).json({ error: 'Authentication required' }); } try { const session = await new Promise((resolve, reject) => { db.get( `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.is_active FROM sessions s JOIN users u ON s.user_id = u.id WHERE s.session_id = ? AND s.expires_at > datetime('now')`, [sessionId], (err, row) => { if (err) reject(err); else resolve(row); } ); }); if (!session) { return res.status(401).json({ error: 'Session expired or invalid' }); } if (!session.is_active) { return res.status(401).json({ error: 'Account is disabled' }); } // Attach user to request req.user = { id: session.user_id, username: session.username, email: session.email, role: session.role }; next(); } catch (err) { console.error('Auth middleware error:', err); return res.status(500).json({ error: 'Authentication error' }); } }; } // Require specific role(s) function requireRole(...allowedRoles) { return (req, res, next) => { if (!req.user) { return res.status(401).json({ error: 'Authentication required' }); } if (!allowedRoles.includes(req.user.role)) { return res.status(403).json({ error: 'Insufficient permissions', required: allowedRoles, current: req.user.role }); } next(); }; } module.exports = { requireAuth, requireRole };