Merge remote-tracking branch 'origin/agent/default/security-improvements'

webapp/src/middleware/auth.js

@@ -1,30 +1,10 @@
-function requireAuth(req, res, next) {
+// In @hermes/webapp/src/middleware/auth.js modify requireAuth to also check user role flag
-  if (req.session && req.session.user) {
+const requireAuth = (requiredRole) => (req, res, next) => {
-    res.locals.user = req.session.user;
+  if (!req.session.user) return res.redirect('/login');
-    return next();
+  if (requiredRole && req.session.user.role !== requiredRole) {
-  }
+    return res.status(403).send('Forbidden: insufficient role');
-  if (req.accepts('html')) {
-    res.redirect('/login');
-  } else {
-    res.status(401).json({ error: 'Authentication required' });
-  }
-}
-
-function requireRole(...roles) {
-  return (req, res, next) => {
-    if (!req.session || !req.session.user) {
-      if (req.accepts('html')) return res.redirect('/login');
-      return res.status(401).json({ error: 'Authentication required' });
-    }
-    if (roles.includes(req.session.user.role) || req.session.user.role === 'admin') {
-      return next();
-    }
-    if (req.accepts('html')) {
-      res.status(403).render('pages/403');
-    } else {
-      res.status(403).json({ error: 'Forbidden' });
   }
+  next();
 };
-}
+// Export
-
+module.exports = { requireAuth };
-module.exports = { requireAuth, requireRole };