const jwt = require('jsonwebtoken'); const { User, Tenant } = require('../models'); async function authenticateToken(req, res, next) { const authHeader = req.headers['authorization']; const token = authHeader && authHeader.split(' ')[1]; if (!token) { return res.status(401).json({ success: false, message: 'Access token required' }); } try { const decoded = jwt.verify(token, process.env.JWT_SECRET); // Log what's in the token for debugging console.log('🔍 JWT Token decoded:', { userId: decoded.userId, username: decoded.username, role: decoded.role, tenantId: decoded.tenantId, provider: decoded.provider }); // For older tokens without tenantId, we need to look up the user's tenant let tenantId = decoded.tenantId; const user = await User.findByPk(decoded.userId, { attributes: ['id', 'username', 'email', 'role', 'is_active', 'tenant_id'], include: [{ model: Tenant, as: 'tenant', attributes: ['slug', 'name'] }] }); if (!user || !user.is_active) { return res.status(401).json({ success: false, message: 'Invalid or inactive user' }); } req.user = user; // Set tenant context - prefer JWT tenantId, fallback to user's tenant if (tenantId) { req.tenantId = tenantId; console.log('✅ Tenant context from JWT:', tenantId); } else if (user.tenant && user.tenant.slug) { req.tenantId = user.tenant.slug; console.log('✅ Tenant context from user record:', user.tenant.slug); } else { console.log('⚠️ No tenant context available'); } next(); } catch (error) { console.error('Token verification error:', error); return res.status(403).json({ success: false, message: 'Invalid or expired token' }); } } function requireRole(roles) { return (req, res, next) => { if (!req.user) { return res.status(401).json({ success: false, message: 'Authentication required' }); } const userRoles = Array.isArray(roles) ? roles : [roles]; if (!userRoles.includes(req.user.role)) { return res.status(403).json({ success: false, message: 'Insufficient permissions' }); } next(); }; } module.exports = { authenticateToken, requireRole };