style updates and re-added auth with a new method (thad to confirm)

2026-04-08 07:50:27 -04:00
parent d2ad949c2e
commit d5dbb7718d
4 changed files with 81 additions and 46 deletions
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -1,17 +1,64 @@
-// src/middleware.ts
-import { clerkMiddleware, createRouteMatcher } from '@clerk/astro/server';
-import type { AstroMiddlewareRequest, AstroMiddlewareResponse } from 'astro';
+import { clerkMiddleware, createRouteMatcher, clerkClient } from '@clerk/astro/server';

-const isProtectedRoute = createRouteMatcher([
-  '/pokemon',
-]);
+const isProtectedRoute = createRouteMatcher(['/pokemon']);
+const isAdminRoute = createRouteMatcher(['/admin']);

-export const onRequest = clerkMiddleware((auth, context) => {
-  const { isAuthenticated, redirectToSignIn } = auth()
+const TARGET_ORG_ID = "org_3Baav9czkRLLlC7g89oJWqRRulK";
+
+export const onRequest = clerkMiddleware(async (auth, context) => {
+  const { isAuthenticated, userId, redirectToSignIn, has } = auth();

  if (!isAuthenticated && isProtectedRoute(context.request)) {
-    // Add custom logic to run before redirecting
+    return redirectToSignIn();
+  }

-    return redirectToSignIn()
+  // ── Inventory visibility check ──────────────────────────────────────────────
+  // Resolves to true if the user belongs to the target org OR has the feature
+  const canAddInventory =
+    isAuthenticated &&
+    userId &&
+    (
+      has({ permission: "org:feature:inventory_add" }) ||   // Clerk feature flag
+      (await getUserOrgIds(context, userId)).includes(TARGET_ORG_ID)
+    );
+
+  // Expose the flag to your Astro pages via locals
+  context.locals.canAddInventory = canAddInventory ?? false;
+
+  // ── Admin route guard (unchanged) ───────────────────────────────────────────
+  if (isAdminRoute(context.request)) {
+    if (!isAuthenticated || !userId) {
+      return redirectToSignIn();
+    }
+
+    try {
+      const client = await clerkClient(context);
+      const memberships = await client.organizations.getOrganizationMembershipList({
+        organizationId: TARGET_ORG_ID,
+      });
+
+      const userMembership = memberships.data.find(
+        (m) => m.publicUserData?.userId === userId
+      );
+
+      if (!userMembership || userMembership.role !== "org:admin") {
+        return new Response(null, { status: 404 });
+      }
+    } catch (e) {
+      console.error("Clerk membership check failed:", e);
+      return context.redirect("/");
+    }
  }
 });
+
+// ── Helper: fetch all org IDs the current user belongs to ───────────────────
+async function getUserOrgIds(context: any, userId: string): Promise<string[]> {
+  try {
+    const client = await clerkClient(context);
+    const memberships = await client.users.getOrganizationMembershipList({ userId });
+    return memberships.data.map((m) => m.organization.id);
+  } catch (e) {
+    console.error("Failed to fetch user org memberships:", e);
+    return [];
+  }
+}