// Nur eingeloggte User
function requireAuth(req, res, next) {
  if (req.isAuthenticated()) return next();
  res.status(401).json({ error: 'Nicht eingeloggt' });
}

// Nur Admins (Whitelist)
function requireAdmin(req, res, next) {
  if (req.isAuthenticated() && req.user?.isAdmin) return next();
  res.status(403).json({ error: 'Kein Admin-Zugriff' });
}

module.exports = { requireAuth, requireAdmin };