Initial commit

app/Http/Middleware/AdminSecurityMiddleware.php

@@ -0,0 +1,47 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Log;
+use Symfony\Component\HttpFoundation\Response;
+
+class AdminSecurityMiddleware
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $user = Auth::user();
+
+        // Check 1: Must be authenticated
+        if (! $user) {
+            return response()->json(['error' => 'Unauthorized'], 401);
+        }
+
+        // Check 2: Must have admin rank
+        $minRank = (int) setting('min_staff_rank', 7);
+        if ($user->rank < $minRank) {
+            Log::warning('[Security] Unauthorized API access attempt', [
+                'user_id' => $user->id,
+                'username' => $user->username,
+                'ip' => $request->ip(),
+                'path' => $request->path(),
+            ]);
+
+            return response()->json(['error' => 'Forbidden'], 403);
+        }
+
+        // Check 3: Audit log every API call
+        Log::info('[Audit] Admin API access', [
+            'user_id' => $user->id,
+            'username' => $user->username,
+            'method' => $request->method(),
+            'path' => $request->path(),
+            'ip' => $request->ip(),
+            'user_agent' => substr($request->userAgent() ?? '', 0, 200),
+        ]);
+
+        return $next($request);
+    }
+}