Middleware - pacificnm/wiki-ai GitHub Wiki

📁 middleware/roleMiddleware.js

/**
 * Middleware to restrict access to admins only.
 */
export function requireAdmin(req, res, next) {
  if (req.user?.role === 'admin') {
    return next();
  }
  return res.status(403).json({ message: 'Admin access required' });
}

/**
 * Middleware to restrict access to authenticated users.
 */
export function requireUser(req, res, next) {
  if (req.user) {
    return next();
  }
  return res.status(401).json({ message: 'User authentication required' });
}

/**
 * Middleware to check if the user owns the resource or is an admin.
 * 
 * @param {function} getResourceOwnerId - Async function to fetch the resource's ownerId.
 */
export function requireOwnerOrAdmin(getResourceOwnerId) {
  return async (req, res, next) => {
    try {
      const ownerId = await getResourceOwnerId(req);
      const userId = req.user?.uid;
      const isAdmin = req.user?.role === 'admin';

      if (isAdmin || userId === ownerId) {
        return next();
      }
      return res.status(403).json({ message: 'Access denied' });
    } catch (err) {
      return res.status(500).json({ message: 'Access control error', error: err.message });
    }
  };
}

🔧 Usage Example

import { requireUser, requireOwnerOrAdmin } from '../middleware/roleMiddleware.js';
import Document from '../models/Document.js';

router.put(
  '/:id',
  requireUser,
  requireOwnerOrAdmin(async (req) => {
    const doc = await Document.findById(req.params.id);
    return doc?.ownerId?.toString();
  }),
  documentController.updateDocument
);

🔐 Admin-Only Route Example

router.delete(
  '/:id',
  requireAdmin,
  documentController.deleteDocument
);