json(['error' => 'Unauthorized'], 401); } // Check 2: Must have admin rank $minRank = (int) setting('min_staff_rank', 7); if ($user->rank < $minRank) { Log::warning('[Security] Unauthorized API access attempt', [ 'user_id' => $user->id, 'username' => $user->username, 'ip' => $request->ip(), 'path' => $request->path(), ]); return response()->json(['error' => 'Forbidden'], 403); } // Check 3: Audit log every API call Log::info('[Audit] Admin API access', [ 'user_id' => $user->id, 'username' => $user->username, 'method' => $request->method(), 'path' => $request->path(), 'ip' => $request->ip(), 'user_agent' => substr($request->userAgent() ?? '', 0, 200), ]); return $next($request); } }