src/middleware.ts

import { clerkMiddleware, createRouteMatcher, clerkClient } from '@clerk/astro/server';
import 'dotenv/config';
 
declare global {
  namespace App {
    interface Locals {
      canAddInventory: boolean;
    }
  }
}
 
const isProtectedRoute = createRouteMatcher(['/pokemon']);
const isAdminRoute = createRouteMatcher(['/admin']);
 
const TARGET_ORG_ID = "org_3Baav9czkRLLlC7g89oJWqRRulK";
const ADMIN_ORG_IDS = new Set([
  "org_3Baav9czkRLLlC7g89oJWqRRulK",
  "org_3ABdwuK3qD7Saq590ZMQWY7AvVz",
]);
 
export const onRequest = clerkMiddleware(async (auth, context, next) => {
  const { isAuthenticated, userId, redirectToSignIn, has } = auth();
 
  if (!isAuthenticated && isProtectedRoute(context.request)) {
    return redirectToSignIn();
  }
 
  // ── Inventory visibility check ──────────────────────────────────────────────
  // Resolves to true if the user belongs to the target org OR has the feature
  const canAddInventory = process.env.INVENTORY_ACCESS === 'true' ||
    (
      isAuthenticated &&
      userId &&
      (
        !!has({ permission: "org:feature:inventory_add" }) ||   // Clerk feature flag
        (await getUserOrgIds(context, userId)).includes(TARGET_ORG_ID)
      )
    );
 
  // Expose the flag to your Astro pages via locals
  context.locals.canAddInventory = Boolean(canAddInventory);
 
  // ── Admin route guard ───────────────────────────────────────────
  if (isAdminRoute(context.request)) {
    if (!isAuthenticated || !userId) {
      return redirectToSignIn();
    }
 
    try {
      const client = await clerkClient(context);
      const userOrgIds = await getUserOrgIds(context, userId);
      const matchingOrgIds = userOrgIds.filter((id) => ADMIN_ORG_IDS.has(id));
 
      if (matchingOrgIds.length === 0) {
        return new Response(null, { status: 404 });
      }
 
      const membershipLists = await Promise.all(
        matchingOrgIds.map((orgId) =>
          client.organizations.getOrganizationMembershipList({ organizationId: orgId })
        )
      );
 
      const isAdmin = membershipLists.some((list) =>
        list.data.some(
          (m) => m.publicUserData?.userId === userId && m.role === "org:admin"
        )
      );
 
      if (!isAdmin) {
        return new Response(null, { status: 404 });
      }
    } catch (e) {
      console.error("Clerk membership check failed:", e);
      return context.redirect("/");
    }
  }
 
  return next();
});
 
// ── Helper: fetch all org IDs the current user belongs to ───────────────────
async function getUserOrgIds(context: any, userId: string): Promise<string[]> {
  try {
    const client = await clerkClient(context);
    const memberships = await client.users.getOrganizationMembershipList({ userId });
    return memberships.data.map((m) => m.organization.id);
  } catch (e) {
    console.error("Failed to fetch user org memberships:", e);
    return [];
  }
}
added /admin for admin panel - limited to users in the admin role (also updated local .env to match prod keys for clerk) 2026-03-28 16:52:53 -04:00			`import { clerkMiddleware, createRouteMatcher, clerkClient } from '@clerk/astro/server';`
[feat] override inventory access in .env 2026-04-09 14:21:26 -04:00			`import 'dotenv/config';`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
[feat] override inventory access in .env 2026-04-09 14:21:26 -04:00			`declare global {`
			`namespace App {`
			`interface Locals {`
			`canAddInventory: boolean;`
			`}`
			`}`
			`}`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
added /admin for admin panel - limited to users in the admin role (also updated local .env to match prod keys for clerk) 2026-03-28 16:52:53 -04:00			`const isProtectedRoute = createRouteMatcher(['/pokemon']);`
			`const isAdminRoute = createRouteMatcher(['/admin']);`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
added /admin for admin panel - limited to users in the admin role (also updated local .env to match prod keys for clerk) 2026-03-28 16:52:53 -04:00			`const TARGET_ORG_ID = "org_3Baav9czkRLLlC7g89oJWqRRulK";`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00			`const ADMIN_ORG_IDS = new Set([`
			`"org_3Baav9czkRLLlC7g89oJWqRRulK",`
			`"org_3ABdwuK3qD7Saq590ZMQWY7AvVz",`
			`]);`

[feat] override inventory access in .env 2026-04-09 14:21:26 -04:00			`export const onRequest = clerkMiddleware(async (auth, context, next) => {`
style updates and re-added auth with a new method (thad to confirm) 2026-04-08 07:50:27 -04:00			`const { isAuthenticated, userId, redirectToSignIn, has } = auth();`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
clerk was missing /shared npm package 2026-03-05 22:59:16 -05:00			`if (!isAuthenticated && isProtectedRoute(context.request)) {`
added /admin for admin panel - limited to users in the admin role (also updated local .env to match prod keys for clerk) 2026-03-28 16:52:53 -04:00			`return redirectToSignIn();`
			`}`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
style updates and re-added auth with a new method (thad to confirm) 2026-04-08 07:50:27 -04:00			`// ── Inventory visibility check ──────────────────────────────────────────────`
			`// Resolves to true if the user belongs to the target org OR has the feature`
[feat] override inventory access in .env 2026-04-09 14:21:26 -04:00			`const canAddInventory = process.env.INVENTORY_ACCESS === 'true' \|\|`
style updates and re-added auth with a new method (thad to confirm) 2026-04-08 07:50:27 -04:00			`(`
[feat] override inventory access in .env 2026-04-09 14:21:26 -04:00			`isAuthenticated &&`
			`userId &&`
			`(`
			`!!has({ permission: "org:feature:inventory_add" }) \|\| // Clerk feature flag`
			`(await getUserOrgIds(context, userId)).includes(TARGET_ORG_ID)`
			`)`
style updates and re-added auth with a new method (thad to confirm) 2026-04-08 07:50:27 -04:00			`);`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
style updates and re-added auth with a new method (thad to confirm) 2026-04-08 07:50:27 -04:00			`// Expose the flag to your Astro pages via locals`
[feat] override inventory access in .env 2026-04-09 14:21:26 -04:00			`context.locals.canAddInventory = Boolean(canAddInventory);`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
Merge branch 'feat/inventory' 2026-05-26 05:32:26 -04:00			`// ── Admin route guard ───────────────────────────────────────────`
added /admin for admin panel - limited to users in the admin role (also updated local .env to match prod keys for clerk) 2026-03-28 16:52:53 -04:00			`if (isAdminRoute(context.request)) {`
			`if (!isAuthenticated \|\| !userId) {`
			`return redirectToSignIn();`
			`}`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
added /admin for admin panel - limited to users in the admin role (also updated local .env to match prod keys for clerk) 2026-03-28 16:52:53 -04:00			`try {`
style updates and re-added auth with a new method (thad to confirm) 2026-04-08 07:50:27 -04:00			`const client = await clerkClient(context);`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00			`const userOrgIds = await getUserOrgIds(context, userId);`
			`const matchingOrgIds = userOrgIds.filter((id) => ADMIN_ORG_IDS.has(id));`

			`if (matchingOrgIds.length === 0) {`
			`return new Response(null, { status: 404 });`
			`}`

			`const membershipLists = await Promise.all(`
			`matchingOrgIds.map((orgId) =>`
			`client.organizations.getOrganizationMembershipList({ organizationId: orgId })`
			`)`
added /admin for admin panel - limited to users in the admin role (also updated local .env to match prod keys for clerk) 2026-03-28 16:52:53 -04:00			`);`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
			`const isAdmin = membershipLists.some((list) =>`
			`list.data.some(`
			`(m) => m.publicUserData?.userId === userId && m.role === "org:admin"`
			`)`
			`);`

			`if (!isAdmin) {`
style updates and re-added auth with a new method (thad to confirm) 2026-04-08 07:50:27 -04:00			`return new Response(null, { status: 404 });`
added /admin for admin panel - limited to users in the admin role (also updated local .env to match prod keys for clerk) 2026-03-28 16:52:53 -04:00			`}`
			`} catch (e) {`
			`console.error("Clerk membership check failed:", e);`
			`return context.redirect("/");`
			`}`
fix 100% height header and added auth to /pokemon 2026-02-25 20:31:13 -05:00			`}`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
[feat] override inventory access in .env 2026-04-09 14:21:26 -04:00			`return next();`
fix 100% height header and added auth to /pokemon 2026-02-25 20:31:13 -05:00			`});`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00
style updates and re-added auth with a new method (thad to confirm) 2026-04-08 07:50:27 -04:00			`// ── Helper: fetch all org IDs the current user belongs to ───────────────────`
			`async function getUserOrgIds(context: any, userId: string): Promise<string[]> {`
			`try {`
			`const client = await clerkClient(context);`
			`const memberships = await client.users.getOrganizationMembershipList({ userId });`
			`return memberships.data.map((m) => m.organization.id);`
			`} catch (e) {`
			`console.error("Failed to fetch user org memberships:", e);`
			`return [];`
			`}`
[bugfix] allow local clerk to work 2026-05-28 14:42:50 -04:00			`}`