48hr.email/infrastructure/web/middleware/lock.js

const templateContext = require('../template-context')

function checkLockAccess(req, res, next) {
    const inboxLock = req.app.get('inboxLock')
    const address = req.params.address
    const userId = req.session && req.session.userId
    const isAuthenticated = req.session && req.session.isAuthenticated

    if (!address || !inboxLock) {
        return next()
    }

    const isLocked = inboxLock.isLocked(address)

    // For authenticated users, check database ownership
    // Also allow session-based access for immediate unlock after locking
    const hasAccess = isAuthenticated && userId ?
        (inboxLock.isLockedByUser(address, userId) || req.session.lockedInbox === address.toLowerCase()) :
        (req.session && req.session.lockedInbox === address.toLowerCase())

    // Block access to locked inbox without proper authentication
    if (isLocked && !hasAccess) {
        const unlockError = req.session ? req.session.unlockError : undefined
        if (req.session) delete req.session.unlockError

        return res.render('error', templateContext.build(req, {
            title: 'Access Denied',
            message: 'This inbox is locked by another user. Only the owner can access it.'
        }))
    }

    // Update last access if they have access and are authenticated
    if (isLocked && hasAccess && isAuthenticated && userId) {
        inboxLock.updateAccess(userId, address)
    }

    next()
}

module.exports = { checkLockAccess }