initial commit

server/utils/authHelpers.js

@@ -0,0 +1,20 @@
+/**
+ * Require authenticated user. Optionally require role. Throws 401 if none, 403 if role insufficient.
+ * @param {import('h3').H3Event} event
+ * @param {{ role?: 'admin' | 'adminOrLeader' }} [opts] - role: 'admin' = admin only; 'adminOrLeader' = admin or leader
+ * @returns {{ id: string, identifier: string, role: string }} The current user.
+ */
+export function requireAuth(event, opts = {}) {
+  const user = event.context.user
+  if (!user) {
+    throw createError({ statusCode: 401, message: 'Unauthorized' })
+  }
+  const { role } = opts
+  if (role === 'admin' && user.role !== 'admin') {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
+  }
+  if (role === 'adminOrLeader' && user.role !== 'admin' && user.role !== 'leader') {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
+  }
+  return user
+}