Updatweb

backend/middleware/auth.js

@@ -1,19 +1,32 @@
+const logger = require("../config/logger");
+const { sendUnauthorized, sendForbidden } = require("../utils/responseHelpers");
+
+const isAuthenticated = (req) => {
+  return req.session?.user?.id;
+};
+
 const requireAuth = (req, res, next) => {
-  if (req.session && req.session.user && req.session.user.id) {
+  if (isAuthenticated(req)) {
     return next();
   }
-  res.status(401).json({ success: false, message: "Authentication required" });
+
+  logger.warn("Unauthorized access attempt", {
+    path: req.path,
+    ip: req.ip,
+  });
+  sendUnauthorized(res);
 };
 
 const requireRole = (allowedRoles) => {
-  // Allow single role or array of roles
   const roles = Array.isArray(allowedRoles) ? allowedRoles : [allowedRoles];
 
   return (req, res, next) => {
-    if (!req.session || !req.session.user || !req.session.user.id) {
-      return res
-        .status(401)
-        .json({ success: false, message: "Authentication required" });
+    if (!isAuthenticated(req)) {
+      logger.warn("Unauthorized access attempt", {
+        path: req.path,
+        ip: req.ip,
+      });
+      return sendUnauthorized(res);
     }
 
     const userRole = req.session.user.role_id || "role-admin";
@@ -22,12 +35,14 @@ const requireRole = (allowedRoles) => {
       return next();
     }
 
-    res.status(403).json({
-      success: false,
-      message: "Access denied. Insufficient permissions.",
-      required_role: roles,
-      your_role: userRole,
+    logger.warn("Forbidden access attempt", {
+      path: req.path,
+      ip: req.ip,
+      userRole,
+      requiredRoles: roles,
     });
+
+    sendForbidden(res, "Access denied. Insufficient permissions.");
   };
 };