Two-layer authentication and authorisation middleware.
Layer 1 — requireAuth: Verifies the Bearer token and attaches the full
User record to req.user. Returns 401 if the token is missing, invalid,
or expired.
Layer 2 — requireRole: Verifies the caller is a member of the target
workspace with one of the allowed roles. Attaches the full Membership and
Workspace to req.membership. Returns 403 if not a member or insufficient role.
Both middlewares attach data to the request so route handlers never need
extra DB reads to get user or workspace information.
Example
// Protect a route — authentication + role check in one line router.delete('/:workspaceId/employees/:userId', requireAuth, requireRole('OWNER', 'MANAGER'), handler )
Description
Two-layer authentication and authorisation middleware.
Layer 1 —
requireAuth: Verifies the Bearer token and attaches the fullUserrecord toreq.user. Returns401if the token is missing, invalid, or expired.Layer 2 —
requireRole: Verifies the caller is a member of the target workspace with one of the allowed roles. Attaches the fullMembershipandWorkspacetoreq.membership. Returns403if not a member or insufficient role.Both middlewares attach data to the request so route handlers never need extra DB reads to get user or workspace information.
Example