Merge pull request #200 from devxsameer/feature/rbac-admin-enforcement

feat: enforce RBAC on admin routes (deny-by-default) with tests  Closes #115

Author: 1nonlypiece

src/middleware/rbac.ts

@@ -1,25 +1,49 @@
 import { Request, Response, NextFunction } from 'express'
 import { UserRole } from '../types/user.js'
 
-export function requireRole(...allowedRoles: UserRole[]) {
-     return (req: Request, res: Response, next: NextFunction): void => {
-          if (!req.user) {
-               res.status(401).json({ error: 'Unauthenticated' })
-               return
-          }
+type RBACOptions = {
+  allow: UserRole[];
+};
 
-          if (!allowedRoles.includes(req.user.role)) {
-               res.status(403).json({
-                    error: `Forbidden: requires role ${allowedRoles.join(' or ')}, got '${req.user.role}'`,
-               })
-               return
-          }
+const logRBACDenied = (req: Request, reason: string) => {
+  console.warn(
+    JSON.stringify({
+      level: "warn",
+      event: "security.rbac_denied",
+      service: "disciplr-backend",
+      userId: req.user?.userId ?? "unknown",
+      role: req.user?.role ?? "unknown",
+      path: req.originalUrl,
+      method: req.method,
+      reason,
+      timestamp: new Date().toISOString(),
+    }),
+  );
+};
 
-          next()
-     }
-}
+export const enforceRBAC = (options: RBACOptions) => {
+  return (req: Request, res: Response, next: NextFunction): void => {
+    // Deny by default
+    if (!req.user) {
+      logRBACDenied(req, "missing_user");
+      res.status(401).json({ error: "Unauthorized" });
+      return;
+    }
 
-// Convenience helpers
-export const requireUser = requireRole(UserRole.USER, UserRole.VERIFIER, UserRole.ADMIN)
-export const requireVerifier = requireRole(UserRole.VERIFIER, UserRole.ADMIN)
-export const requireAdmin = requireRole(UserRole.ADMIN)
+    if (!options.allow.includes(req.user.role)) {
+      logRBACDenied(req, "insufficient_role");
+      res.status(403).json({
+        error: "Forbidden",
+        message: `Requires role: ${options.allow.join(", ")}`,
+      });
+      return;
+    }
+
+    next();
+  };
+};
+
+// Convenience
+export const requireAdmin = enforceRBAC({
+  allow: [UserRole.ADMIN],
+});

src/routes/admin.ts

@@ -11,7 +11,7 @@ export const adminRouter = Router()
 
 // Apply authentication to all admin routes
 adminRouter.use(authenticate)
-adminRouter.use(authorize([UserRole.ADMIN]))
+adminRouter.use(requireAdmin)
 
 /**
  * Force-logout a user (Admin only) - Preserve Issue #46 logic

src/tests/admin.rbac.test.ts

@@ -0,0 +1,32 @@
+import request from "supertest";
+import { app } from "../app.js";
+import jwt from "jsonwebtoken";
+
+const SECRET = process.env.JWT_SECRET || "change-me-in-production";
+
+const makeToken = (role: string) =>
+  jwt.sign({ userId: "test-user", role }, SECRET);
+
+describe("Admin RBAC", () => {
+  it("allows ADMIN", async () => {
+    const res = await request(app)
+      .get("/api/admin/audit-logs")
+      .set("Authorization", `Bearer ${makeToken("ADMIN")}`);
+
+    expect(res.status).not.toBe(403);
+  });
+
+  it("denies USER", async () => {
+    const res = await request(app)
+      .get("/api/admin/audit-logs")
+      .set("Authorization", `Bearer ${makeToken("USER")}`);
+
+    expect(res.status).toBe(403);
+  });
+
+  it("denies unauthenticated", async () => {
+    const res = await request(app).get("/api/admin/audit-logs");
+
+    expect(res.status).toBe(401);
+  });
+});