Separate admin protected endpoints from non-admin endpoints

backend/handlers/handle_auth.go

@@ -5,6 +5,7 @@ import (
 
 	"adam-french.co.uk/backend/models"
 	"github.com/gin-gonic/gin"
+	"github.com/golang-jwt/jwt/v5"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -26,6 +27,28 @@ func (store *Store) AuthMiddlewear(ctx *gin.Context) {
 	ctx.Next()
 }
 
+func (store *Store) AdminMiddleware(ctx *gin.Context) {
+	claims, exists := ctx.Get("userClaims")
+	if !exists {
+		ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
+		return
+	}
+
+	mapClaims, ok := claims.(*jwt.MapClaims)
+	if !ok {
+		ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid claims"})
+		return
+	}
+
+	admin, ok := (*mapClaims)["admin"].(bool)
+	if !ok || !admin {
+		ctx.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "admin access required"})
+		return
+	}
+
+	ctx.Next()
+}
+
 func (store *Store) CheckToken(ctx *gin.Context) {
 	access_token, err := ctx.Cookie("access_token")
 	if err != nil {