54 lines
1.2 KiB
JavaScript
54 lines
1.2 KiB
JavaScript
const { logger } = require('./logger');
|
|
|
|
/**
|
|
* Middleware that blocks guest users from accessing non-abonnement routes.
|
|
* Guest users (role='guest') can ONLY access:
|
|
* - /abonements/*
|
|
* - /invoices/mine
|
|
* - /me
|
|
* - /user/settings
|
|
* - /logout
|
|
* - /refresh
|
|
*
|
|
* Place this AFTER authMiddleware in the app-level middleware chain.
|
|
*/
|
|
const GUEST_ALLOWED_PREFIXES = [
|
|
'/abonements',
|
|
'/invoices/mine',
|
|
'/me',
|
|
'/user/settings',
|
|
'/user/status',
|
|
'/logout',
|
|
'/refresh',
|
|
'/coffee/active',
|
|
'/tax/vat-rates',
|
|
];
|
|
|
|
function guestRestriction(req, res, next) {
|
|
const user = req.user;
|
|
if (!user || user.role !== 'guest') {
|
|
return next();
|
|
}
|
|
|
|
const urlPath = req.originalUrl.split('?')[0];
|
|
|
|
const isAllowed = GUEST_ALLOWED_PREFIXES.some((prefix) => urlPath.startsWith(prefix));
|
|
|
|
if (isAllowed) {
|
|
return next();
|
|
}
|
|
|
|
logger.warn('guestRestriction:blocked', {
|
|
userId: user.userId || user.id,
|
|
route: urlPath,
|
|
method: req.method,
|
|
});
|
|
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Guest accounts can only access subscription features. Please upgrade your account for full access.',
|
|
});
|
|
}
|
|
|
|
module.exports = guestRestriction;
|