/**
 * Require authenticated user. Optionally require role. Throws 401 if none, 403 if role insufficient.
 * @param {import('h3').H3Event} event
 * @param {{ role?: 'admin' | 'adminOrLeader' }} [opts] - role: 'admin' = admin only; 'adminOrLeader' = admin or leader
 * @returns {{ id: string, identifier: string, role: string }} The current user.
 */
export function requireAuth(event, opts = {}) {
  const user = event.context.user
  if (!user) {
    throw createError({ statusCode: 401, message: 'Unauthorized' })
  }
  const { role } = opts
  if (role === 'admin' && user.role !== 'admin') {
    throw createError({ statusCode: 403, message: 'Forbidden' })
  }
  if (role === 'adminOrLeader' && user.role !== 'admin' && user.role !== 'leader') {
    throw createError({ statusCode: 403, message: 'Forbidden' })
  }
  return user
}