From 718e7f9d7671b038b82ad49d08293be6cebdd82d Mon Sep 17 00:00:00 2001
From: Anys <anys.rafai@etu.univ-amu.fr>
Date: Tue, 6 Jan 2026 19:05:59 +0100
Subject: [PATCH] - Add role detection - Restrict APIs to personnels - Show 403
 for unauthorized access"

---
 defaults/interfaces.ts |  1 +
 routes/_middleware.ts  | 28 +++++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/defaults/interfaces.ts b/defaults/interfaces.ts
index 5f2ef80..a74a0b5 100644
--- a/defaults/interfaces.ts
+++ b/defaults/interfaces.ts
@@ -4,6 +4,7 @@ import { AsyncRoute } from "$fresh/src/server/types.ts";
 interface AuthenticatedState {
   isAuthenticated: true;
   isFromPolytech: boolean;
+  role: "etudiants" | "personnels" | "autres";
   session: CasContent;
 }
 
diff --git a/routes/_middleware.ts b/routes/_middleware.ts
index fac3c99..914826e 100644
--- a/routes/_middleware.ts
+++ b/routes/_middleware.ts
@@ -26,6 +26,14 @@ function isRoutePublic(route: string): boolean {
   );
 }
 
+/**
+ * Checks if the given route is an API route.
+ * @param route The route to check.
+ * @returns `true` if the route is an API route, `false` otherwise.
+ */
+function isRouteAnAPI(route: string): boolean {
+  return route.includes("/api/");
+}
 /**
  * Get the given user's key, creating it if not already existing.
  * @param user The key's user.
@@ -83,6 +91,18 @@ export const handler: MiddlewareHandler<State>[] = [
 
       if (isFromPolytech) {
         context.state.session = session;
+
+        if (Object.values(session.memberOf).some(
+          (value) => typeof value === "string" && value.includes("cn=amu:ufr:polytech:personnels")
+        )) {
+          context.state.role = "personnels";
+        } else if (Object.values(session.memberOf).some(
+          (value) => typeof value === "string" && value.includes("cn=amu:ufr:polytech:etudiants")
+        )) {
+          context.state.role = "etudiants";
+        } else {
+          context.state.role = "autres";
+        }
       }
     }
 
@@ -111,7 +131,7 @@ export const handler: MiddlewareHandler<State>[] = [
         });
       }
 
-      if (context.state.isAuthenticated && !context.state.isFromPolytech) {
+      if (!context.state.isFromPolytech) {
         return new Response(null, {
           status: 403,
           headers: {
@@ -119,6 +139,12 @@ export const handler: MiddlewareHandler<State>[] = [
           },
         });
       }
+
+      if (isRouteAnAPI(url.pathname) && !(context.state.role == "personnels")) {
+        return new Response(null, {
+          status: 403,
+        });
+      }
     }
 
     return await context.next();