1 files changed, 63 insertions, 0 deletions

diff --git a/backend/src/middleware/auth.middleware.js b/backend/src/middleware/auth.middleware.js
new file mode 100644
index 0000000..62c7aa9
--- /dev/null
+++ b/backend/src/middleware/auth.middleware.js
@@ -0,0 +1,63 @@
+const { verifyToken } = require('../utils/jwt');
+const User = require('../models/User');
+
+/**
+ * Authentication middleware
+ * @param {Object} req - Express request object
+ * @param {Object} res - Express response object
+ * @param {Function} next - Express next function
+ */
+const authenticate = async (req, res, next) => {
+  try {
+    let token;
+    
+    // Get token from Authorization header
+    if (req.headers.authorization && req.headers.authorization.startsWith('Bearer')) {
+      token = req.headers.authorization.split(' ')[1];
+    }
+    
+    if (!token) {
+      return res.status(401).json({ message: 'Authentication required. Please log in.' });
+    }
+    
+    // Verify token
+    const decoded = verifyToken(token);
+    
+    // Find user by id
+    const user = await User.findById(decoded.id);
+    
+    if (!user || !user.active) {
+      return res.status(401).json({ message: 'The user no longer exists or is inactive.' });
+    }
+    
+    // Attach user to request object
+    req.user = user;
+    next();
+  } catch (error) {
+    res.status(401).json({ message: 'Authentication failed. Invalid token.' });
+  }
+};
+
+/**
+ * Authorization middleware factory
+ * @param {String[]} roles - Array of allowed roles
+ * @returns {Function} Express middleware
+ */
+const authorize = (...roles) => {
+  return (req, res, next) => {
+    if (!req.user) {
+      return res.status(401).json({ message: 'Authentication required.' });
+    }
+    
+    if (!roles.includes(req.user.role)) {
+      return res.status(403).json({ message: 'You do not have permission to perform this action.' });
+    }
+    
+    next();
+  };
+};
+
+module.exports = {
+  authenticate,
+  authorize
+}; 
\ No newline at end of file