backend/middleware/adminAuthMiddleware.js

const jwt = require('jsonwebtoken');
const Admin = require('../models/adminModel');
const asyncHandler = require('express-async-handler');

const protectAdmin = asyncHandler(async (req, res, next) => {
  let token;

  if (req.headers.authorization && req.headers.authorization.startsWith('Bearer')) {
    try {
      token = req.headers.authorization.split(' ')[1];
      const decoded = jwt.verify(token, process.env.JWT_SECRET_KEY);
      
      const admin = await Admin.findById(decoded.id).select('-password');
      
      if (!admin) {
        res.status(401);
        throw new Error('Admin not found');
      }

      if (!admin.isActive) {
        res.status(401);
        throw new Error('Admin account is deactivated');
      }

      req.admin = admin;
      next();
    } catch (error) {
      res.status(401);
      throw new Error('Not authorized, token failed');
    }
  }

  if (!token) {
    res.status(401);
    throw new Error('Not authorized, no token');
  }
});

const requirePermission = (resource, action) => {
  return (req, res, next) => {
    if (!req.admin) {
      res.status(401);
      throw new Error('Authentication required');
    }

    if (!req.admin.hasPermission(resource, action)) {
      res.status(403);
      throw new Error(`Insufficient permissions: ${resource}.${action}`);
    }

    next();
  };
};

const requireRole = (roles) => {
  return (req, res, next) => {
    if (!req.admin) {
      res.status(401);
      throw new Error('Authentication required');
    }

    const allowedRoles = Array.isArray(roles) ? roles : [roles];
    
    if (!allowedRoles.includes(req.admin.role)) {
      res.status(403);
      throw new Error(`Insufficient role. Required: ${allowedRoles.join(' or ')}`);
    }

    next();
  };
};

const logAdminActivity = (action, description) => {
  return (req, res, next) => {
    const originalSend = res.send;
    
    res.send = function(data) {
      if (req.admin && res.statusCode < 400) {
        const activityLog = {
          action,
          description,
          ipAddress: req.ip || req.connection.remoteAddress,
          userAgent: req.get('User-Agent'),
          timestamp: new Date()
        };

        Admin.findByIdAndUpdate(
          req.admin._id,
          { $push: { activityLog: activityLog } },
          { new: true }
        ).catch(err => console.error('Failed to log admin activity:', err));
      }
      
      originalSend.call(this, data);
    };
    
    next();
  };
};

module.exports = {
  protectAdmin,
  requirePermission,
  requireRole,
  logAdminActivity
};