featur add fahrmeister

backend/src/middleware/rbac.middleware.ts

@@ -134,3 +134,44 @@ export function requirePermission(permission: string) {
 }
 
 export { getUserRole, hasPermission };
+
+/**
+ * Middleware factory: requires the authenticated user to belong to at least
+ * one of the given Authentik groups (sourced from the JWT `groups` claim).
+ *
+ * Usage:
+ *   router.post('/api/vehicles', authenticate, requireGroups(['dashboard_admin']), handler)
+ */
+export function requireGroups(requiredGroups: string[]) {
+  return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    if (!req.user) {
+      res.status(401).json({ success: false, message: 'Authentication required' });
+      return;
+    }
+
+    const userGroups: string[] = (req.user as any).groups ?? [];
+    const hasAccess = requiredGroups.some(g => userGroups.includes(g));
+
+    if (!hasAccess) {
+      logger.warn('Group-based access denied', {
+        userId:         req.user.id,
+        userGroups,
+        requiredGroups,
+        path:           req.path,
+      });
+
+      auditPermissionDenied(req, AuditResourceType.SYSTEM, undefined, {
+        required_groups: requiredGroups,
+        user_groups:     userGroups,
+      });
+
+      res.status(403).json({
+        success: false,
+        message: 'Keine Berechtigung für diese Aktion',
+      });
+      return;
+    }
+
+    next();
+  };
+}