import { Request, Response, NextFunction } from 'express' import { EmployeeRole } from '@rentaldrivego/database' import { sendUnauthorized, sendForbidden } from './authHelpers' const ROLE_RANK: Record = { OWNER: 3, MANAGER: 2, AGENT: 1, } /** * Requires the authenticated employee to have at least `minimumRole`. * Must be applied after `requireCompanyAuth`. */ export function requireRole(minimumRole: EmployeeRole) { return (req: Request, res: Response, next: NextFunction) => { const employee = req.employee if (!employee) return sendUnauthorized(res, 'unauthenticated', 'Authentication required') const employeeRank = ROLE_RANK[employee.role] ?? 0 const requiredRank = ROLE_RANK[minimumRole] ?? 99 if (employeeRank < requiredRank) { return sendForbidden(res, 'forbidden', `This action requires the ${minimumRole} role or higher`, { requiredRole: minimumRole, yourRole: employee.role, }) } next() } }