package middleware import ( "net/http" "os" "strings" "github.com/gin-gonic/gin" accountModels "goaresv3/app/accounts/models" "goaresv3/config" jwtHelper "goaresv3/pkg/jwt" ) // AuthRequired validates the Bearer access token and injects claims into context. func AuthRequired() gin.HandlerFunc { return func(c *gin.Context) { header := c.GetHeader("Authorization") if !strings.HasPrefix(header, "Bearer ") { c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "authorization header missing or malformed"}) return } tokenStr := strings.TrimPrefix(header, "Bearer ") claims, err := jwtHelper.ValidateToken(tokenStr, os.Getenv("JWT_SECRET")) if err != nil { c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid or expired access token"}) return } c.Set("user_id", claims.UserID) c.Set("email", claims.Email) c.Set("username", claims.UserName) c.Next() } } // AdminRequired checks whether the authenticated user has admin privileges. func AdminRequired() gin.HandlerFunc { return func(c *gin.Context) { userID := c.GetUint("user_id") if userID == 0 { c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"}) return } if config.DB == nil { c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "database is not connected"}) return } var user accountModels.User if err := config.DB.Select("id", "is_admin").First(&user, userID).Error; err != nil { c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid user"}) return } if user.IsAdmin == nil || !*user.IsAdmin { c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "admin role required"}) return } c.Next() } }