import { NextResponse } from "next/server"; import { getServerSession } from "next-auth/next"; import { authOptions } from "./auth-config"; export type ApiUser = { id: string; email: string; role: "superadmin" | "admin" | "teacher"; establishmentId?: string; }; export async function requireAuth(): Promise { const session = await getServerSession(authOptions); if (!session?.user) { return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); } return session.user as ApiUser; } export function requireRole(user: ApiUser, ...allowed: string[]): NextResponse | null { if (!allowed.includes(user.role)) { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); } return null; } export function forbidden(): NextResponse { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); } export function getScopedEstablishmentId(user: ApiUser, requested?: string | null): string | undefined | NextResponse { if (user.role === "superadmin") { return requested ?? undefined; } if (requested && requested !== user.establishmentId) { return forbidden(); } return user.establishmentId; }