From b58bf1e4f661e736171084a3d80feaad78ba48dd Mon Sep 17 00:00:00 2001
From: Alexander Borg <borg@servernet.se>
Date: Wed, 17 Sep 2025 06:06:02 +0200
Subject: [PATCH] Fix jwt-token

---
 server/routes/health.js | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/server/routes/health.js b/server/routes/health.js
index 8f99f2a..7479e7e 100644
--- a/server/routes/health.js
+++ b/server/routes/health.js
@@ -103,8 +103,19 @@ router.get('/detailed', async (req, res) => {
       });
     }
 
-    // Check if user is admin (handle both test mock and real auth)
-    const userRole = req.user?.role || 'admin'; // Default to admin for tests that don't set role
+    // Extract role from JWT token if not set by middleware
+    let userRole = req.user?.role;
+    if (!userRole && req.headers.authorization) {
+      try {
+        const jwt = require('jsonwebtoken');
+        const token = req.headers.authorization.replace('Bearer ', '');
+        const decoded = jwt.verify(token, process.env.JWT_SECRET || 'test-secret');
+        userRole = decoded.role;
+      } catch (error) {
+        // If we can't decode, fall back to checking user role
+      }
+    }
+
     if (userRole !== 'admin') {
       return res.status(403).json({
         success: false,
@@ -389,8 +400,19 @@ router.get('/metrics', async (req, res) => {
       });
     }
 
-    // Check if user is admin
-    const userRole = req.user?.role || 'admin';
+    // Check if user is admin - extract role from JWT token if not set by middleware
+    let userRole = req.user?.role;
+    if (!userRole && req.headers.authorization) {
+      try {
+        const jwt = require('jsonwebtoken');
+        const token = req.headers.authorization.replace('Bearer ', '');
+        const decoded = jwt.verify(token, process.env.JWT_SECRET || 'test-secret');
+        userRole = decoded.role;
+      } catch (error) {
+        // If we can't decode, role remains undefined
+      }
+    }
+
     if (userRole !== 'admin') {
       return res.status(403).json({
         status: 'error',