"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.requireRole = requireRole;
exports.requireNonTemp = requireNonTemp;
const client_1 = require("@prisma/client");
const error_handler_1 = require("./error-handler");
function requireRole(...roles) {
    return (req, _res, next) => {
        if (!req.user) {
            throw new error_handler_1.AppError(401, 'Authentication required', 'AUTH_REQUIRED');
        }
        // Check multi-role array (falls back to single role via auth middleware)
        const userRoles = req.user.roles || [req.user.role];
        // SUPER_ADMIN bypasses all role checks
        if (userRoles.includes(client_1.UserRole.SUPER_ADMIN)) {
            return next();
        }
        const hasRole = userRoles.some(r => roles.includes(r));
        if (!hasRole) {
            throw new error_handler_1.AppError(403, 'Insufficient permissions', 'FORBIDDEN');
        }
        next();
    };
}
function requireNonTemp(req, _res, next) {
    if (!req.user) {
        throw new error_handler_1.AppError(401, 'Authentication required', 'AUTH_REQUIRED');
    }
    const userRoles = req.user.roles || [req.user.role];
    // User is "temp only" if their only role is TEMP
    if (userRoles.length === 1 && userRoles[0] === client_1.UserRole.TEMP) {
        throw new error_handler_1.AppError(403, 'Temporary accounts cannot access this resource', 'TEMP_FORBIDDEN');
    }
    next();
}
//# sourceMappingURL=rbac.middleware.js.map