37df062f3b
Some checks are pending
Docker Test / test (push) Waiting to run
This commit implements the role-based access control system as outlined in the project documentation. It includes: - A requireRole middleware for protecting routes - Auth routes for registration, login, profile management - Audit logging for sensitive actions - Role management endpoints - Updated app.js to include audit logging middleware
25 lines
No EOL
706 B
JavaScript
25 lines
No EOL
706 B
JavaScript
// middleware/requireRole.js
|
|
const jwt = require('jsonwebtoken');
|
|
|
|
function requireRole(allowedRoles) {
|
|
return (req, res, next) => {
|
|
const token = req.header('Authorization')?.replace('Bearer ', '');
|
|
|
|
if (!token) {
|
|
return res.status(401).json({ error: 'Access denied. No token provided.' });
|
|
}
|
|
|
|
try {
|
|
const decoded = jwt.verify(token, process.env.JWT_SECRET);
|
|
if (!allowedRoles.includes(decoded.role)) {
|
|
return res.status(403).json({ error: 'Access denied. Insufficient permissions.' });
|
|
}
|
|
req.user = decoded;
|
|
next();
|
|
} catch (error) {
|
|
res.status(400).json({ error: 'Invalid token.' });
|
|
}
|
|
};
|
|
}
|
|
|
|
module.exports = requireRole; |