feat(rbac): enforce admin access checks and document permission model

2026-02-10 12:16:36 +01:00
parent 4041a4ac4a
commit 947cb0a3d7
13 changed files with 458 additions and 8 deletions
--- a/apps/admin/src/middleware.ts
+++ b/apps/admin/src/middleware.ts
@@ -0,0 +1,37 @@
+import { type NextRequest, NextResponse } from "next/server"
+
+import { canAccessRoute, getRequiredPermission, resolveRoleFromRequest } from "@/lib/access"
+
+export function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl
+
+  const role = resolveRoleFromRequest(request)
+
+  if (!role) {
+    const unauthorizedUrl = request.nextUrl.clone()
+    unauthorizedUrl.pathname = "/unauthorized"
+    unauthorizedUrl.searchParams.set("reason", "missing-role")
+
+    return NextResponse.redirect(unauthorizedUrl)
+  }
+
+  if (!canAccessRoute(role, pathname)) {
+    const unauthorizedUrl = request.nextUrl.clone()
+    unauthorizedUrl.pathname = "/unauthorized"
+
+    const required = getRequiredPermission(pathname)
+    unauthorizedUrl.searchParams.set("required", required.permission)
+    unauthorizedUrl.searchParams.set("scope", required.scope)
+
+    return NextResponse.redirect(unauthorizedUrl)
+  }
+
+  const response = NextResponse.next()
+  response.headers.set("x-cms-role", role)
+
+  return response
+}
+
+export const config = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
+}