lots of stuff, don't truly remember

2026-05-17 20:39:47 -05:00
parent 178ffb3425
commit dc4fe558b7
35 changed files with 3501 additions and 112 deletions
--- a/internal/middleware/auth.go
+++ b/internal/middleware/auth.go
@@ -17,6 +17,35 @@ func NewAuthMiddleware() *AuthMiddleware {
 	return &AuthMiddleware{}
 }

+// RequireRole returns middleware that checks for a specific user role.
+// It must be used after ProtectedRoute (or any middleware that sets the user context).
+func (am *AuthMiddleware) RequireRole(role string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			claims, ok := r.Context().Value(UserContextKey).(*config.CustomClaims)
+			if !ok || claims == nil {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusUnauthorized)
+				json.NewEncoder(w).Encode(map[string]string{
+					"error": "unauthorized",
+				})
+				return
+			}
+
+			if claims.Role != role {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusForbidden)
+				json.NewEncoder(w).Encode(map[string]string{
+					"error": "insufficient permissions",
+				})
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
 func (am *AuthMiddleware) ProtectedRoute(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		authHeader := r.Header.Get("Authorization")
@@ -62,4 +91,4 @@ func (am *AuthMiddleware) ProtectedRoute(next http.Handler) http.Handler {
 		ctx := context.WithValue(r.Context(), UserContextKey, claims)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
-}
+}