feat: роли customer/admin, админ-панель, admin@site.com

Co-authored-by: Cursor <cursoragent@cursor.com>

src/middleware/auth.js

@@ -1,5 +1,6 @@
 const { query } = require('../db');
 const { asyncHandler } = require('../utils/asyncHandler');
+const { ROLES } = require('../constants/roles');
 
 function requireAuth(req, res, next) {
   if (!req.session.userId) {
@@ -9,17 +10,33 @@ function requireAuth(req, res, next) {
   next();
 }
 
+function requireAdmin(req, res, next) {
+  if (!req.session.userId) {
+    const nextUrl = encodeURIComponent(req.originalUrl);
+    return res.redirect(`/login?next=${nextUrl}`);
+  }
+  if (res.locals.user?.role !== ROLES.ADMIN) {
+    return res.status(403).render('error', {
+      title: 'Доступ запрещён',
+      message: 'Недостаточно прав. Требуется роль администратора.',
+      code: 403,
+    });
+  }
+  next();
+}
+
 const loadUser = asyncHandler(async (req, res, next) => {
   if (req.session.userId) {
     const { rows } = await query(
-      'SELECT id, email, name FROM users WHERE id = $1',
+      'SELECT id, email, name, role FROM users WHERE id = $1',
       [req.session.userId]
     );
     res.locals.user = rows[0] || null;
   } else {
     res.locals.user = null;
   }
+  res.locals.isAdmin = res.locals.user?.role === ROLES.ADMIN;
   next();
 });
 
-module.exports = { requireAuth, loadUser };
+module.exports = { requireAuth, requireAdmin, loadUser };