Initial Claude Run

backend/src/middleware/auth.js

@@ -0,0 +1,75 @@
+const jwt = require('jsonwebtoken');
+const pool = require('../config/database');
+
+const authenticateToken = async (req, res, next) => {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
+
+  if (!token) {
+    return res.status(401).json({
+      success: false,
+      message: 'Access token required'
+    });
+  }
+
+  try {
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    
+    // Verify user still exists and is active
+    const userResult = await pool.query(
+      'SELECT id, email, role FROM users WHERE id = $1',
+      [decoded.userId]
+    );
+
+    if (userResult.rows.length === 0) {
+      return res.status(401).json({
+        success: false,
+        message: 'Invalid token - user not found'
+      });
+    }
+
+    req.user = userResult.rows[0];
+    next();
+  } catch (error) {
+    console.error('Token verification error:', error);
+    return res.status(403).json({
+      success: false,
+      message: 'Invalid or expired token'
+    });
+  }
+};
+
+const requireAdmin = (req, res, next) => {
+  if (req.user.role !== 'admin') {
+    return res.status(403).json({
+      success: false,
+      message: 'Admin access required'
+    });
+  }
+  next();
+};
+
+const requireOwnership = (resourceUserIdField = 'user_id') => {
+  return (req, res, next) => {
+    const resourceUserId = req.params[resourceUserIdField] || req.body[resourceUserIdField];
+    
+    if (req.user.role === 'admin') {
+      return next(); // Admins can access any resource
+    }
+    
+    if (parseInt(resourceUserId) !== req.user.id) {
+      return res.status(403).json({
+        success: false,
+        message: 'Access denied - you can only access your own resources'
+      });
+    }
+    
+    next();
+  };
+};
+
+module.exports = {
+  authenticateToken,
+  requireAdmin,
+  requireOwnership
+};