// Role-based access control middleware
const requireRole = (requiredRoles) => {
  return (req, res, next) => {
    // Check if user is authenticated
    if (!req.user) {
      return res.status(401).json({ 
        error: 'Authentication required' 
      });
    }

    // Check if user has the required role
    const userRole = req.user.role;
    
    if (!userRole || !requiredRoles.includes(userRole)) {
      // User does not have the required role, deny access
      return res.status(403).json({ 
        error: 'Insufficient permissions' 
      });
    }
    
    // User has the required role, allow access
    next();
  };
};

module.exports = { requireRole };