function requireAuth(req, res, next) {
  if (!req.session || !req.session.userId) return res.status(401).json({ error: 'unauthorized' })
  next()
}

function requireAdmin(req, res, next) {
  if (!req.session || !req.session.userId) return res.status(401).json({ error: 'unauthorized' })
  if (!req.session.isAdmin) return res.status(403).json({ error: 'forbidden' })
  next()
}

module.exports = { requireAuth, requireAdmin }