first commit

2026-01-29 01:16:54 +01:00
commit e209e9bbca
12105 changed files with 2480672 additions and 0 deletions
@@ -0,0 +1,90 @@
+import { Response, NextFunction } from 'express';
+import jwt from 'jsonwebtoken';
+import { AuthRequest, JwtPayload } from '../types/index.js';
+
+export function authenticate(
+  req: AuthRequest,
+  res: Response,
+  next: NextFunction
+): void {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
+    return;
+  }
+
+  const token = authHeader.split(' ')[1];
+
+  try {
+    const decoded = jwt.verify(
+      token,
+      process.env.JWT_SECRET || 'fallback-secret'
+    ) as JwtPayload;
+    req.user = decoded;
+    next();
+  } catch {
+    res.status(401).json({ success: false, error: 'Ungültiger Token' });
+  }
+}
+
+export function requirePermission(...requiredPermissions: string[]) {
+  return (req: AuthRequest, res: Response, next: NextFunction): void => {
+    if (!req.user) {
+      res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
+      return;
+    }
+
+    const userPermissions = req.user.permissions || [];
+
+    // Check if user has any of the required permissions
+    const hasPermission = requiredPermissions.some((perm) =>
+      userPermissions.includes(perm)
+    );
+
+    if (!hasPermission) {
+      res.status(403).json({
+        success: false,
+        error: 'Keine Berechtigung für diese Aktion',
+      });
+      return;
+    }
+
+    next();
+  };
+}
+
+// Middleware to check if user can access specific customer data
+export function requireCustomerAccess(
+  req: AuthRequest,
+  res: Response,
+  next: NextFunction
+): void {
+  if (!req.user) {
+    res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
+    return;
+  }
+
+  const userPermissions = req.user.permissions || [];
+
+  // Admins and employees can access all customers
+  if (
+    userPermissions.includes('customers:read') ||
+    userPermissions.includes('customers:update')
+  ) {
+    next();
+    return;
+  }
+
+  // Customers can only access their own data
+  const customerId = parseInt(req.params.customerId || req.params.id);
+  if (req.user.customerId && req.user.customerId === customerId) {
+    next();
+    return;
+  }
+
+  res.status(403).json({
+    success: false,
+    error: 'Kein Zugriff auf diese Kundendaten',
+  });
+}