Problem
The admin user management routes (/api/v1/admin/users/*) added in #57 use requireAuth middleware, which only validates that the JWT is signed and unexpired. It does not check the caller's role. Any authenticated driver can create, delete, and modify all user accounts — including promoting themselves to admin or deleting other admins.
Suggested Fix
The JWT already contains a role claim (set in auth.go during login). Add a requireAdmin middleware (or role-checking wrapper) that reads claims["role"] from the context and returns 403 if it's not "admin". Apply it to all five admin routes in main.go:85-89.
References
main.go:85-89 — routes that need protectionauth.go:116-150 — existing requireAuth middleware to extend
Problem
The admin user management routes (
/api/v1/admin/users/*) added in #57 userequireAuthmiddleware, which only validates that the JWT is signed and unexpired. It does not check the caller's role. Any authenticated driver can create, delete, and modify all user accounts — including promoting themselves to admin or deleting other admins.Suggested Fix
The JWT already contains a
roleclaim (set inauth.goduring login). Add arequireAdminmiddleware (or role-checking wrapper) that readsclaims["role"]from the context and returns 403 if it's not"admin". Apply it to all five admin routes inmain.go:85-89.References
main.go:85-89— routes that need protectionauth.go:116-150— existingrequireAuthmiddleware to extend