'use strict';

module.exports = function authorize (authBackend) {
    return function authorizeMiddleware (req, res, next) {
        authBackend.authorize(req, res, (err, authorized) => {
            req.profiler.done('authorize');

            if (err) {
                return next(err);
            }

            if (!authorized) {
                err = new Error('Sorry, you are unauthorized (permission denied)');
                err.http_status = 403;
                return next(err);
            }

            return next();
        });
    };
};