syntaxbullet/aurorabot
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): add enrollment check, role-based sessions, and player access

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
syntaxbullet
2026-04-02 13:23:35 +02:00
parent db10ebe220
commit 37fa5fc3c8
2 changed files with 36 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
api/src/routes/index.ts
View File

@@ -4,7 +4,7 @@
*/
import type { RouteContext, RouteModule } from "./types";
import { authRoutes, isAuthenticated } from "./auth.routes";
import { authRoutes, isAuthenticated, getSession } from "./auth.routes";
import { healthRoutes } from "./health.routes";
import { statsRoutes } from "./stats.routes";
import { actionsRoutes } from "./actions.routes";
@@ -70,9 +70,21 @@ export async function handleRequest(req: Request, url: URL): Promise<Response |
// For API routes, enforce authentication
if (ctx.pathname.startsWith("/api/")) {
if (!isAuthenticated(req)) {
const session = getSession(req);
if (!session) {
return errorResponse("Unauthorized", 401);
}
// Admin-only routes: everything except stats and own user data
const playerAllowedPrefixes = ["/api/stats", "/api/health"];
const isPlayerAllowed = playerAllowedPrefixes.some(p => ctx.pathname.startsWith(p));
// Players can access their own user data
const isOwnUserRoute = ctx.pathname.match(/^\/api\/users\/\d+/) && session.role === "player";
if (session.role === "player" && !isPlayerAllowed && !isOwnUserRoute) {
return errorResponse("Admin access required", 403);
}
}
// Try protected routes