header('Authorization'); if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) { return response()->json([ 'success' => false, 'message' => 'Authentication token required.' ], 401); } $token = substr($authHeader, 7); $user = User::where('api_token', $token)->where('role', 'employer')->first(); if (!$user) { return response()->json([ 'success' => false, 'message' => 'Invalid or expired authentication token.' ], 401); } // Automatically activate queued pending plans if current active has expired User::checkAndActivatePendingSubscriptions($user->id); $user->refresh(); // Enforce active subscription check $hasActiveSub = ($user->subscription_status === 'active' || $user->subscription_status === 'none'); if (!$hasActiveSub) { // Only allow access to payments or plans endpoints $path = $request->getPathInfo(); $isAllowedApi = str_contains($path, '/payments') || str_contains($path, '/plans'); if (!$isAllowedApi) { return response()->json([ 'success' => false, 'message' => 'Your subscription has expired. Please purchase or renew a subscription plan to restore access.' ], 403); } } // Attach employer object to request attributes so controllers can read it using $request->attributes->get('employer') $request->attributes->set('employer', $user); return $next($request); } }