# SEC-02 — Authentication & Authorization — Middleware Admin

**Category:** security  
**Status:** ok (with fixes)  
**Elapsed:** 0s

---

## Output

### Route Coverage
All admin routes (30+) are wrapped in `AdminAuth` middleware group. Login/logout routes are excluded. ✓

### Session Security
- `LoginController::login()`: regenerates session on login (`$request->session()->regenerate()`) ✓
- `LoginController::logout()`: invalidates session + regenerates CSRF token ✓
- No hardcoded credentials found ✓

### [HIGH] Role Check Disabled in Middleware
File: `app/Http/Middleware/AdminAuth.php:22-25`
```php
// Opsional: Cek role jika ada dashboard khusus admin/staff
// if (Auth::user()->role === 'user') {
//     abort(403, 'Unauthorized Access.');
// }
```
User model supports `role` field (`admin|staff|editor`) and has `isAdmin()` method, but middleware doesn't enforce it. Any authenticated user (even without a role) can access all admin pages.

**Fix:**
```php
public function handle(Request $request, Closure $next): Response
{
    if (!Auth::check()) {
        return redirect()->route('admin.login');
    }

    if (!Auth::user()->is_active) {
        Auth::logout();
        return redirect()->route('admin.login');
    }

    return $next($request);
}
```

### [MEDIUM] 403 vs 401
- 401 (unauthenticated) → redirect to login ✓
- 403 (unauthorized) → not implemented yet (role check is commented)
- Fix di atas akan handle ini via `is_active` check