const jwt = require('jsonwebtoken'); const ENV_TOKENS = (process.env.API_TOKENS || '').split(',').map(t => t.trim()).filter(Boolean); module.exports = function auth(req, res, next) { const header = req.headers['authorization'] || ''; const token = header.startsWith('Bearer ') ? header.slice(7) : null; if (!token) return res.status(401).json({ error: 'Unauthorized' }); // Dev/admin tokens aus Env — keine Rollenprüfung if (ENV_TOKENS.includes(token)) return next(); // JWT verifizieren try { const payload = jwt.verify(token, process.env.JWT_SECRET); if (payload.role === 'end-user') return res.status(403).json({ error: 'Insufficient permissions' }); req.user = payload; next(); } catch (err) { return res.status(401).json({ error: 'Invalid or expired token' }); } };