[OWL] Restore auth.js — keep requireRole middleware (more complete than agent version)

webapp/src/middleware/auth.js

@@ -1,10 +1,30 @@
-// In @hermes/webapp/src/middleware/auth.js modify requireAuth to also check user role flag
+function requireAuth(req, res, next) {
-const requireAuth = (requiredRole) => (req, res, next) => {
+  if (req.session && req.session.user) {
-  if (!req.session.user) return res.redirect('/login');
+    res.locals.user = req.session.user;
-  if (requiredRole && req.session.user.role !== requiredRole) {
+    return next();
-    return res.status(403).send('Forbidden: insufficient role');
   }
-  next();
+  if (req.accepts('html')) {
-};
+    res.redirect('/login');
-// Export
+  } else {
-module.exports = { requireAuth };
+    res.status(401).json({ error: 'Authentication required' });
+  }
+}
+
+function requireRole(...roles) {
+  return (req, res, next) => {
+    if (!req.session || !req.session.user) {
+      if (req.accepts('html')) return res.redirect('/login');
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    if (roles.includes(req.session.user.role) || req.session.user.role === 'admin') {
+      return next();
+    }
+    if (req.accepts('html')) {
+      res.status(403).render('pages/403');
+    } else {
+      res.status(403).json({ error: 'Forbidden' });
+    }
+  };
+}
+
+module.exports = { requireAuth, requireRole };