diff --git a/webapp/src/middleware/auth.js b/webapp/src/middleware/auth.js
index 88e2747..75776a1 100644
--- a/webapp/src/middleware/auth.js
+++ b/webapp/src/middleware/auth.js
@@ -1,10 +1,30 @@
-// In @hermes/webapp/src/middleware/auth.js modify requireAuth to also check user role flag
-const requireAuth = (requiredRole) => (req, res, next) => {
-  if (!req.session.user) return res.redirect('/login');
-  if (requiredRole && req.session.user.role !== requiredRole) {
-    return res.status(403).send('Forbidden: insufficient role');
+function requireAuth(req, res, next) {
+  if (req.session && req.session.user) {
+    res.locals.user = req.session.user;
+    return next();
   }
-  next();
-};
-// Export
-module.exports = { requireAuth };
\ No newline at end of file
+  if (req.accepts('html')) {
+    res.redirect('/login');
+  } else {
+    res.status(401).json({ error: 'Authentication required' });
+  }
+}
+
+function requireRole(...roles) {
+  return (req, res, next) => {
+    if (!req.session || !req.session.user) {
+      if (req.accepts('html')) return res.redirect('/login');
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    if (roles.includes(req.session.user.role) || req.session.user.role === 'admin') {
+      return next();
+    }
+    if (req.accepts('html')) {
+      res.status(403).render('pages/403');
+    } else {
+      res.status(403).json({ error: 'Forbidden' });
+    }
+  };
+}
+
+module.exports = { requireAuth, requireRole };