From ff0859a7b158aca1fb853916283f66360a256800 Mon Sep 17 00:00:00 2001
From: Nils-Johan Gynther <nils-johan.gynther@neoleaf.se>
Date: Sun, 19 Apr 2026 21:24:53 +0200
Subject: [PATCH] =?UTF-8?q?debug:=20l=C3=A4gg=20till=20withAuth-loggning?=
 =?UTF-8?q?=20+=20middleware=20matcher=20f=C3=B6r=20/api?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 frontend/lib/with-auth.ts |  4 ++++
 frontend/middleware.ts    | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 frontend/middleware.ts

diff --git a/frontend/lib/with-auth.ts b/frontend/lib/with-auth.ts
index 4044c405..7bd0d497 100644
--- a/frontend/lib/with-auth.ts
+++ b/frontend/lib/with-auth.ts
@@ -27,7 +27,11 @@ export function withAuth(
 ) {
   return auth(async function (request: any, context: any) {
     const session = request.auth;
+    // eslint-disable-next-line no-console
+    console.log('[withAuth] request.auth:', JSON.stringify(session));
     if (!session?.accessToken) {
+      // eslint-disable-next-line no-console
+      console.warn('[withAuth] No accessToken — returning 401');
       return NextResponse.json({ message: 'Unauthorized' }, { status: 401 });
     }
     return handler(request, session, context);
diff --git a/frontend/middleware.ts b/frontend/middleware.ts
new file mode 100644
index 00000000..31e0ed29
--- /dev/null
+++ b/frontend/middleware.ts
@@ -0,0 +1,37 @@
+import { NextResponse } from 'next/server';
+import { auth } from './auth';
+
+export default auth((req) => {
+  const { pathname } = req.nextUrl;
+
+  // Alltid tillgängliga sidor
+  const publicPaths = ['/login', '/register'];
+  if (publicPaths.some((p) => pathname.startsWith(p))) {
+    return NextResponse.next();
+  }
+
+  // Om ej inloggad, omdirigera till /login
+  if (!req.auth) {
+    const loginUrl = new URL('/login', req.url);
+    loginUrl.searchParams.set('callbackUrl', pathname);
+    return NextResponse.redirect(loginUrl);
+  }
+
+  // Admin-sidor kräver admin-roll
+  if (pathname.startsWith('/admin')) {
+    const role = (req.auth.user as any)?.role;
+    if (role !== 'admin') {
+      return NextResponse.redirect(new URL('/', req.url));
+    }
+  }
+
+  return NextResponse.next();
+});
+
+export const config = {
+  matcher: ['/((?!api|_next/static|_next/image|favicon.ico).*)'],
+};
+
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico|api/auth).*)'],
+};