Atomcms-edit/app/Http/Middleware/AdminSecurityMiddleware.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;
use Symfony\Component\HttpFoundation\Response;

class AdminSecurityMiddleware
{
    public function handle(Request $request, Closure $next): Response
    {
        $user = Auth::user();

        // Check 1: Must be authenticated
        if (! $user) {
            return response()->json(['error' => 'Unauthorized'], 401);
        }

        // Check 2: Must have admin rank
        $minRank = (int) setting('min_staff_rank', config('habbo.defaults.min_staff_rank'));
        if ($user->rank < $minRank) {
            Log::warning('[Security] Unauthorized API access attempt', [
                'user_id' => $user->id,
                'username' => $user->username,
                'ip' => $request->ip(),
                'path' => $request->path(),
            ]);

            return response()->json(['error' => 'Forbidden'], 403);
        }

        // Check 3: Audit log every API call
        Log::info('[Audit] Admin API access', [
            'user_id' => $user->id,
            'username' => $user->username,
            'method' => $request->method(),
            'path' => $request->path(),
            'ip' => $request->ip(),
            'user_agent' => substr($request->userAgent() ?? '', 0, 200),
        ]);

        return $next($request);
    }
}