Auth: Apply middleware to all existing routes #125
Description
Auth System — Step 6 (Backend)
This is the breaking change — existing unprotected routes become authenticated.
Route protection map:
| Route | Required Role |
|---|---|
GET /farm, GET /farm/:id |
any authenticated |
POST /farm |
admin |
GET /worker, POST /worker |
foreman, farm_owner, admin |
POST /shift, POST /shift/:id/close |
foreman, admin |
GET /shift, GET /shift/:id |
any authenticated |
POST /lot |
foreman, admin |
POST /lot/:id/transfer |
any authenticated |
POST /payroll |
admin, farm_owner |
GET /btc-price, POST /usd-to-sats |
any authenticated |
GET /provenance/:lotId/* |
public (consumer-facing) |
POST /beta/register |
public |
Implementation:
- Add
authenticate+authorize()to each route group inserver.js - Farm-scoped authorization: verify user's farm_id matches request
- Keep provenance and beta routes public
- Test all routes with valid/invalid/missing tokens
- Verify dev mode bypass still works
Depends on: JWT middleware, login endpoints
Design doc: docs/AUTH.md