const jwt = require('jsonwebtoken'); const { one } = require('../db'); const JWT_SECRET = process.env.MIXEDASSETS_JWT_SECRET || 'mixedassets-local-development-secret'; function publicUser(user) { if (!user) return null; return { id: user.id, name: user.name, email: user.email, role: user.role, teamId: user.team_id }; } function tokenFor(user) { return jwt.sign({ sub: user.id, role: user.role, teamId: user.team_id }, JWT_SECRET, { expiresIn: '12h' }); } function requireAuth(req, res, next) { const header = req.headers.authorization || ''; const [, token] = header.split(' '); if (!token) return res.status(401).json({ error: 'Authentication required' }); try { const payload = jwt.verify(token, JWT_SECRET); const user = one('SELECT * FROM users WHERE id = ? AND status = ?', [payload.sub, 'active']); if (!user) return res.status(401).json({ error: 'User is inactive or missing' }); req.user = user; return next(); } catch { return res.status(401).json({ error: 'Invalid or expired token' }); } } function requireRole(...roles) { return (req, res, next) => { if (!roles.includes(req.user.role)) return res.status(403).json({ error: 'Insufficient access' }); return next(); }; } module.exports = { publicUser, requireAuth, requireRole, tokenFor };