48 lines
1.2 KiB
JavaScript
48 lines
1.2 KiB
JavaScript
const { ROLES } = require('../config/constants');
|
|
const logger = require('../utils/logger');
|
|
|
|
/**
|
|
* Role-based access control middleware
|
|
* @param {Array<string>} allowedRoles - Array of roles that can access the route
|
|
* @returns {Function} Express middleware function
|
|
*/
|
|
const checkRole = (allowedRoles) => {
|
|
return (req, res, next) => {
|
|
try {
|
|
// Check if user is authenticated
|
|
if (!req.user) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Authentication required'
|
|
});
|
|
}
|
|
|
|
// Check if user role is in allowed roles
|
|
if (!allowedRoles.includes(req.user.role)) {
|
|
logger.warn(`Access denied for user ${req.user.email} (${req.user.role}) to route ${req.path}`);
|
|
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Access denied. Insufficient permissions.',
|
|
requiredRoles: allowedRoles,
|
|
yourRole: req.user.role
|
|
});
|
|
}
|
|
|
|
// User has required role, proceed
|
|
next();
|
|
} catch (error) {
|
|
logger.error('Role check error:', error);
|
|
res.status(500).json({
|
|
success: false,
|
|
message: 'Authorization check failed'
|
|
});
|
|
}
|
|
};
|
|
};
|
|
|
|
module.exports = {
|
|
checkRole,
|
|
ROLES
|
|
};
|