EverydayTech Platform - Developer Reference
Complete Source Code Documentation - All Applications
Loading...
Searching...
No Matches
adminOnly.js
Go to the documentation of this file.
1/**
2 * @file Admin Role Authorization Middleware
3 * @module middleware/adminOnly
4 * @description
5 * Express middleware for restricting routes to admin-level users. Validates user role
6 * from req.user (set by auth middleware). Allows admin, msp, and root roles, denies
7 * regular staff users.
8 *
9 * Role hierarchy:
10 * - root: Super admin (Root MSP)
11 * - msp: MSP admin
12 * - admin: Tenant admin
13 * - staff: Regular user (DENIED)
14 * @requires middleware/auth - Must run AFTER authenticateToken middleware
15 * @see {@link module:middleware/auth} for authentication middleware
16 * @see {@link module:middleware/tenant~requireRoot} for root-only access
17 */
18
19/**
20 * Restricts route access to admin-level users (admin/msp/root roles).
21 *
22 * Checks req.user.role set by authenticateToken middleware. Allows admins, MSPs, and
23 * root users, denies staff. Returns 403 for staff users, 401 for unauthenticated.
24 * @function requireAdmin
25 * @param {object} req - Express request object
26 * @param {object} req.user - User object from authenticateToken middleware
27 * @param {string} req.user.role - User role (admin/msp/root/staff)
28 * @param {object} res - Express response object
29 * @param {Function} next - Express next middleware function
30 * @returns {void} Calls next() for admin users, sends 401/403 otherwise
31 * @throws {401} Authentication required - Missing req.user
32 * @throws {403} Admin access required - User role is staff
33 * @example
34 * // Apply to admin-only routes
35 * const authenticateToken = require('./middleware/auth');
36 * const requireAdmin = require('./middleware/adminOnly');
37 *
38 * router.delete('/customers/:id', authenticateToken, requireAdmin, (req, res) => {
39 * // Only admins can delete customers
40 * });
41 * @example
42 * // Error response for staff user
43 * {
44 * "error": "Admin access required. Staff users cannot perform this action."
45 * }
46 */
47function requireAdmin(req, res, next) {
48 if (!req.user) {
49 return res.status(401).json({ error: 'Authentication required' });
50 }
51
52 const userRole = req.user.role;
53
54 // Allow admin, msp, and root roles
55 if (userRole === 'admin' || userRole === 'msp' || userRole === 'root') {
56 return next();
57 }
58
59 return res.status(403).json({ error: 'Admin access required. Staff users cannot perform this action.' });
60}
61
62module.exports = requireAdmin;