diff --git a/webapp/src/middleware/auth.js b/webapp/src/middleware/auth.js
index 75776a1..88e2747 100644
--- a/webapp/src/middleware/auth.js
+++ b/webapp/src/middleware/auth.js
@@ -1,30 +1,10 @@
-function requireAuth(req, res, next) {
-  if (req.session && req.session.user) {
-    res.locals.user = req.session.user;
-    return next();
+// In @hermes/webapp/src/middleware/auth.js modify requireAuth to also check user role flag
+const requireAuth = (requiredRole) => (req, res, next) => {
+  if (!req.session.user) return res.redirect('/login');
+  if (requiredRole && req.session.user.role !== requiredRole) {
+    return res.status(403).send('Forbidden: insufficient role');
   }
-  if (req.accepts('html')) {
-    res.redirect('/login');
-  } else {
-    res.status(401).json({ error: 'Authentication required' });
-  }
-}
-
-function requireRole(...roles) {
-  return (req, res, next) => {
-    if (!req.session || !req.session.user) {
-      if (req.accepts('html')) return res.redirect('/login');
-      return res.status(401).json({ error: 'Authentication required' });
-    }
-    if (roles.includes(req.session.user.role) || req.session.user.role === 'admin') {
-      return next();
-    }
-    if (req.accepts('html')) {
-      res.status(403).render('pages/403');
-    } else {
-      res.status(403).json({ error: 'Forbidden' });
-    }
-  };
-}
-
-module.exports = { requireAuth, requireRole };
+  next();
+};
+// Export
+module.exports = { requireAuth };
\ No newline at end of file