internal/middleware/auth_middleware.go

@@ -11,7 +11,6 @@ import (
 	"apskel-pos-be/internal/service"
 
 	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
 )
 
 type AuthMiddleware struct {
@@ -46,13 +45,9 @@ func (m *AuthMiddleware) RequireAuth() gin.HandlerFunc {
 		setKeyInContext(c, appcontext.OrganizationIDKey, userResponse.OrganizationID.String())
 		setKeyInContext(c, appcontext.UserIDKey, userResponse.ID.String())
 
-		// Always override OutletID from token to prevent header injection.
-		// Set empty string if user has no outlet, so PopulateContext header value is ignored.
-		outletIDStr := ""
-		if userResponse.OutletID != nil && *userResponse.OutletID != uuid.Nil {
-			outletIDStr = userResponse.OutletID.String()
+		if userResponse.Role != "superadmin" {
+			setKeyInContext(c, appcontext.OutletIDKey, userResponse.OutletID.String())
 		}
-		setKeyInContext(c, appcontext.OutletIDKey, outletIDStr)
 
 		logger.FromContext(c.Request.Context()).Infof("AuthMiddleware::RequireAuth -> User authenticated: %s", userResponse.Email)
 		c.Next()