admin.middleware.ts

Being logged in is not enough for /api/v1/admin/*.
This middleware checks isAdmin and optionally adminRole against permissions.

Typical pattern on admin routers:

adminRouter.use('*', authMiddleware, adminMiddleware)

Failure modes

• Not admin → 403
• Admin but missing permission for this action → 403

Always runs after authMiddleware so c.get('user') exists.