WIP: basic server, no features

dWeb/AuthMiddleware.cpp

@@ -0,0 +1,130 @@
+#include "AuthMiddleware.h"
+#include "HTTPContext.h"
+#include "eHTTPStatusCode.h"
+#include <algorithm>
+#include "Logger.h"
+
+// Forward declare DashboardAuthService::VerifyToken
+// This will be implemented in the dashboard server
+namespace DashboardAuthService {
+	bool VerifyToken(const std::string& token, std::string& username, uint8_t& gmLevel);
+}
+
+bool AuthMiddleware::Process(HTTPContext& context, HTTPReply& reply) {
+	// Try to extract token from query string first
+	std::string token = ExtractTokenFromQueryString(context.queryString);
+	
+	// If not found in query string, try cookies
+	if (token.empty()) {
+		const std::string& cookieHeader = context.GetHeader("Cookie");
+		if (!cookieHeader.empty()) {
+			token = ExtractTokenFromCookies(cookieHeader);
+		}
+	}
+	
+	// If not found in query or cookies, try Authorization header (API token)
+	if (token.empty()) {
+		const std::string& authHeader = context.GetHeader("Authorization");
+		if (!authHeader.empty()) {
+			token = ExtractTokenFromAuthHeader(authHeader);
+		}
+	}
+	
+	// If token found, verify it
+	if (!token.empty()) {
+		std::string username{};
+		uint8_t gmLevel = 0;
+		
+		if (DashboardAuthService::VerifyToken(token, username, gmLevel)) {
+			context.isAuthenticated = true;
+			context.authenticatedUser = username;
+			context.gmLevel = gmLevel;
+			LOG_DEBUG("Authenticated user %s (GM level %d)", username.c_str(), gmLevel);
+			return true; // Continue to next middleware
+		} else {
+			LOG_DEBUG("Failed to verify token from %s", context.clientIP.c_str());
+		}
+	}
+	
+	// No valid token found, but we don't fail here
+	// Routes can check context.isAuthenticated if they require auth
+	return true;
+}
+
+std::string AuthMiddleware::ExtractTokenFromQueryString(const std::string& queryString) {
+	if (queryString.empty()) return "";
+	
+	const std::string tokenPrefix = "token=";
+	const size_t tokenPos = queryString.find(tokenPrefix);
+	
+	if (tokenPos == std::string::npos) {
+		return "";
+	}
+	
+	const size_t valueStart = tokenPos + tokenPrefix.length();
+	const size_t valueEnd = queryString.find("&", valueStart);
+	
+	if (valueEnd == std::string::npos) {
+		return queryString.substr(valueStart);
+	}
+	
+	return queryString.substr(valueStart, valueEnd - valueStart);
+}
+
+std::string AuthMiddleware::ExtractTokenFromCookies(const std::string& cookieHeader) {
+	if (cookieHeader.empty()) return "";
+	
+	const std::string searchStr = "dashboardToken=";
+	const size_t pos = cookieHeader.find(searchStr);
+	
+	if (pos == std::string::npos) {
+		return "";
+	}
+	
+	const size_t valueStart = pos + searchStr.length();
+	const size_t valueEnd = cookieHeader.find(";", valueStart);
+	
+	std::string value;
+	if (valueEnd == std::string::npos) {
+		value = cookieHeader.substr(valueStart);
+	} else {
+		value = cookieHeader.substr(valueStart, valueEnd - valueStart);
+	}
+	
+	// URL decode the value
+	std::string decoded{};
+	for (size_t i = 0; i < value.length(); ++i) {
+		if (value[i] == '%' && i + 2 < value.length()) {
+			const std::string hex = value.substr(i + 1, 2);
+			char* endptr = nullptr;
+			const int charCode = static_cast<int>(std::strtol(hex.c_str(), &endptr, 16));
+			if (endptr - hex.c_str() == 2) {
+				decoded += static_cast<char>(charCode);
+				i += 2;
+				continue;
+			}
+		}
+		decoded += value[i];
+	}
+	
+	return decoded;
+}
+
+std::string AuthMiddleware::ExtractTokenFromAuthHeader(const std::string& authHeader) {
+	if (authHeader.empty()) return "";
+	
+	// Check for "Bearer <token>" format
+	const std::string bearerPrefix = "Bearer ";
+	if (authHeader.find(bearerPrefix) == 0) {
+		return authHeader.substr(bearerPrefix.length());
+	}
+	
+	// Also check for "Token <token>" format (API tokens)
+	const std::string tokenPrefix = "Token ";
+	if (authHeader.find(tokenPrefix) == 0) {
+		return authHeader.substr(tokenPrefix.length());
+	}
+	
+	// Return as-is if no prefix (raw token)
+	return authHeader;
+}

dWeb/AuthMiddleware.h

@@ -0,0 +1,43 @@
+#pragma once
+
+#include "IHTTPMiddleware.h"
+#include <vector>
+
+/**
+ * Authentication Middleware
+ * 
+ * Verifies JWT tokens from:
+ * - Query parameter: ?token=...
+ * - Cookie: dashboardToken=...
+ * - Authorization header: Bearer <token> or Token <token>
+ * 
+ * Populates HTTPContext with authentication information if valid.
+ * Does NOT fail on missing auth - that's left to specific routes.
+ */
+class AuthMiddleware : public IHTTPMiddleware {
+public:
+	AuthMiddleware() = default;
+	
+	bool Process(HTTPContext& context, HTTPReply& reply) override;
+	
+	std::string GetName() const override { return "AuthMiddleware"; }
+	
+private:
+	/**
+	 * Extract token from query string
+	 * Expected format: "?token=eyJhbGc..." or "&token=eyJhbGc..."
+	 */
+	static std::string ExtractTokenFromQueryString(const std::string& queryString);
+	
+	/**
+	 * Extract token from Cookie header
+	 * Looks for "dashboardToken=..." cookie
+	 */
+	static std::string ExtractTokenFromCookies(const std::string& cookieHeader);
+	
+	/**
+	 * Extract token from Authorization header
+	 * Supports: "Bearer <token>", "Token <token>", or raw token
+	 */
+	static std::string ExtractTokenFromAuthHeader(const std::string& authHeader);
+};

dWeb/HTTPContext.h

@@ -0,0 +1,59 @@
+#pragma once
+
+#include <string>
+#include <map>
+#include <memory>
+#include <algorithm>
+#include "eHTTPStatusCode.h"
+
+/**
+ * HTTP Request Context
+ * 
+ * Carries all request metadata through the middleware chain.
+ * Populated by the Web framework before middleware/handlers are called.
+ */
+struct HTTPContext {
+	// Request metadata
+	std::string method{};
+	std::string path{};
+	std::string queryString{};
+	std::string body{};
+	
+	// Request headers (header name -> value)
+	// Header names are lowercase for case-insensitive lookup
+	std::map<std::string, std::string> headers{};
+	
+	// Client information
+	std::string clientIP{};
+	
+	// Authentication information (populated by auth middleware)
+	bool isAuthenticated = false;
+	std::string authenticatedUser{};
+	uint8_t gmLevel = 0;
+	
+	// Custom data for middleware to communicate
+	std::map<std::string, std::string> userData{};
+	
+	/**
+	 * Get header value (case-insensitive)
+	 */
+	const std::string& GetHeader(const std::string& headerName) const {
+		static const std::string empty{};
+		
+		// Convert to lowercase for comparison
+		std::string lowerName = headerName;
+		std::transform(lowerName.begin(), lowerName.end(), lowerName.begin(), ::tolower);
+		
+		const auto it = headers.find(lowerName);
+		return it != headers.end() ? it->second : empty;
+	}
+	
+	/**
+	 * Set header value (automatically lowercased)
+	 */
+	void SetHeader(const std::string& headerName, const std::string& value) {
+		std::string lowerName = headerName;
+		std::transform(lowerName.begin(), lowerName.end(), lowerName.begin(), ::tolower);
+		headers[lowerName] = value;
+	}
+};

dWeb/IHTTPMiddleware.h

@@ -0,0 +1,38 @@
+#pragma once
+
+#include <memory>
+#include "HTTPContext.h"
+
+// Forward declaration
+struct HTTPReply;
+
+/**
+ * Middleware Interface
+ * 
+ * All middleware implements this interface and is called in order during request processing.
+ * Middleware can:
+ * - Inspect and modify the request (HTTPContext)
+ * - Populate authentication/authorization info
+ * - Short-circuit the chain by setting a reply and returning false
+ * - Pass to the next middleware by returning true
+ */
+class IHTTPMiddleware {
+public:
+	virtual ~IHTTPMiddleware() = default;
+	
+	/**
+	 * Process the request through this middleware
+	 * 
+	 * @param context The HTTP request context
+	 * @param reply The HTTP reply (can be populated to short-circuit)
+	 * @return true to continue to next middleware, false to stop processing
+	 */
+	virtual bool Process(HTTPContext& context, HTTPReply& reply) = 0;
+	
+	/**
+	 * Get a friendly name for this middleware
+	 */
+	virtual std::string GetName() const = 0;
+};
+
+using MiddlewarePtr = std::shared_ptr<IHTTPMiddleware>;

dWeb/RequireAuthMiddleware.cpp

@@ -0,0 +1,25 @@
+#include "RequireAuthMiddleware.h"
+#include "HTTPContext.h"
+#include "Game.h"
+#include "Logger.h"
+
+bool RequireAuthMiddleware::Process(HTTPContext& context, HTTPReply& reply) {
+	if (!context.isAuthenticated) {
+		LOG_DEBUG("Rejected request to %s: not authenticated", context.path.c_str());
+		reply.status = eHTTPStatusCode::UNAUTHORIZED;
+		reply.message = R"({"error":"Unauthorized","message":"Authentication required"})";
+		reply.contentType = eContentType::APPLICATION_JSON;
+		return false; // Stop processing chain
+	}
+	
+	if (context.gmLevel < minGmLevel) {
+		LOG("Rejected request to %s: insufficient permissions (gmLevel=%d, required=%d)", 
+			context.path.c_str(), context.gmLevel, minGmLevel);
+		reply.status = eHTTPStatusCode::FORBIDDEN;
+		reply.message = R"({"error":"Forbidden","message":"Insufficient permissions"})";
+		reply.contentType = eContentType::APPLICATION_JSON;
+		return false; // Stop processing chain
+	}
+	
+	return true; // Continue to next middleware
+}

dWeb/RequireAuthMiddleware.h

@@ -0,0 +1,33 @@
+#pragma once
+
+#include "IHTTPMiddleware.h"
+#include "eHTTPStatusCode.h"
+
+/**
+ * Require Authentication Middleware
+ * 
+ * Verifies that the request has been authenticated.
+ * Must be placed AFTER AuthMiddleware in the chain.
+ * 
+ * Fails with 401 Unauthorized if not authenticated.
+ * Optionally checks for minimum GM level.
+ */
+class RequireAuthMiddleware : public IHTTPMiddleware {
+public:
+	/**
+	 * Create a require auth middleware
+	 * 
+	 * @param minGmLevel Minimum GM level required (0 = any authenticated user)
+	 */
+	explicit RequireAuthMiddleware(uint8_t minGmLevel = 0) 
+		: minGmLevel(minGmLevel) {}
+	
+	bool Process(HTTPContext& context, HTTPReply& reply) override;
+	
+	std::string GetName() const override { 
+		return "RequireAuthMiddleware(minGM=" + std::to_string(minGmLevel) + ")"; 
+	}
+	
+private:
+	uint8_t minGmLevel{};
+};

dWeb/Web.cpp

@@ -6,30 +6,134 @@
 #include "eHTTPMethod.h"
 #include "GeneralUtils.h"
 #include "JSONUtils.h"
+#include "HTTPContext.h"
+#include "IHTTPMiddleware.h"
 #include <ranges>
+#include <set>
+#include <cctype>
 
 namespace Game {
 	Web web;
 }
 
 namespace {
-	const char* jsonContentType = "Content-Type: application/json\r\n";
 	const std::string wsSubscribed = "{\"status\":\"subscribed\"}";
 	const std::string wsUnsubscribed = "{\"status\":\"unsubscribed\"}";
 	std::map<std::pair<eHTTPMethod, std::string>, HTTPRoute> g_HTTPRoutes;
 	std::map<std::string, WSEvent> g_WSEvents;
 	std::vector<std::string> g_WSSubscriptions;
+	// Keep track of authenticated WebSocket connections
+	std::set<mg_connection*> g_AuthenticatedWSConnections;
+	
+	// Global middleware applied to all routes
+	std::vector<MiddlewarePtr> g_GlobalMiddleware;
+	
+	// Helper to extract client IP from mongoose connection
+	static std::string GetClientIP(mg_connection* connection) {
+		if (!connection) return "unknown";
+		
+		const uint8_t* ip = connection->rem.ip;
+		
+		// Check for IPv4-mapped IPv6 addresses (::ffff:x.x.x.x)
+		if (ip[0] == 0 && ip[1] == 0 && ip[2] == 0 && ip[3] == 0 &&
+			ip[4] == 0 && ip[5] == 0 && ip[6] == 0 && ip[7] == 0 &&
+			ip[8] == 0 && ip[9] == 0 && ip[10] == 0xff && ip[11] == 0xff) {
+			// IPv4 address is in bytes 12-15
+			char buffer[32]{};
+			snprintf(buffer, sizeof(buffer), "%d.%d.%d.%d",
+				ip[12], ip[13], ip[14], ip[15]);
+			return buffer;
+		}
+		
+		// Direct IPv4
+		char buffer[32]{};
+		snprintf(buffer, sizeof(buffer), "%d.%d.%d.%d",
+			ip[0], ip[1], ip[2], ip[3]);
+		return buffer;
+	}
+	
+	// Helper to populate HTTPContext from mg_http_message
+	static void PopulateHTTPContext(HTTPContext& context, 
+									const mg_http_message* http_msg,
+									mg_connection* connection) {
+		// Parse method
+		context.method = std::string(http_msg->method.buf, http_msg->method.len);
+		
+		// Parse URI/path
+		std::string uri(http_msg->uri.buf, http_msg->uri.len);
+		std::transform(uri.begin(), uri.end(), uri.begin(), ::tolower);
+		
+		// Split path and query string
+		const size_t queryPos = uri.find('?');
+		if (queryPos != std::string::npos) {
+			context.path = uri.substr(0, queryPos);
+			context.queryString = uri.substr(queryPos + 1);
+		} else {
+			context.path = uri;
+			context.queryString = "";
+		}
+		
+		// Parse body
+		context.body = std::string(http_msg->body.buf, http_msg->body.len);
+		
+		// Parse common headers (case-insensitive)
+		const struct mg_str* hdr_ptr;
+		
+		// Get Content-Type
+		if ((hdr_ptr = mg_http_get_header(const_cast<mg_http_message*>(http_msg), "Content-Type")) != NULL) {
+			context.SetHeader("Content-Type", std::string(hdr_ptr->buf, hdr_ptr->len));
+		}
+		
+		// Get Cookie
+		if ((hdr_ptr = mg_http_get_header(const_cast<mg_http_message*>(http_msg), "Cookie")) != NULL) {
+			context.SetHeader("Cookie", std::string(hdr_ptr->buf, hdr_ptr->len));
+		}
+		
+		// Get Authorization
+		if ((hdr_ptr = mg_http_get_header(const_cast<mg_http_message*>(http_msg), "Authorization")) != NULL) {
+			context.SetHeader("Authorization", std::string(hdr_ptr->buf, hdr_ptr->len));
+		}
+		
+		// Get User-Agent
+		if ((hdr_ptr = mg_http_get_header(const_cast<mg_http_message*>(http_msg), "User-Agent")) != NULL) {
+			context.SetHeader("User-Agent", std::string(hdr_ptr->buf, hdr_ptr->len));
+		}
+		
+		// Get Host
+		if ((hdr_ptr = mg_http_get_header(const_cast<mg_http_message*>(http_msg), "Host")) != NULL) {
+			context.SetHeader("Host", std::string(hdr_ptr->buf, hdr_ptr->len));
+		}
+		
+		// Get client IP
+		context.clientIP = GetClientIP(connection);
+	}
+
+	const char* ContentTypeToString(eContentType contentType) {
+		switch (contentType) {
+			case eContentType::APPLICATION_JSON:
+				return "application/json";
+			case eContentType::TEXT_HTML:
+				return "text/html; charset=utf-8";
+			case eContentType::TEXT_CSS:
+				return "text/css; charset=utf-8";
+			case eContentType::TEXT_JAVASCRIPT:
+				return "application/javascript; charset=utf-8";
+			case eContentType::TEXT_PLAIN:
+				return "text/plain; charset=utf-8";
+			case eContentType::IMAGE_PNG:
+				return "image/png";
+			case eContentType::IMAGE_JPEG:
+				return "image/jpeg";
+			case eContentType::APPLICATION_OCTET_STREAM:
+				return "application/octet-stream";
+			default:
+				return "application/json";
+		}
+	}
 }
 
 using json = nlohmann::json;
 
-bool ValidateAuthentication(const mg_http_message* http_msg) {
-	// TO DO: This is just a placeholder for now
-	// use tokens or something at a later point if we want to implement authentication
-	// bit using the listen bind address to limit external access is good enough to start with
-	return true;
-}
-
 void HandleHTTPMessage(mg_connection* connection, const mg_http_message* http_msg) {
 	if (g_HTTPRoutes.empty()) return;
 
@@ -38,46 +142,136 @@ void HandleHTTPMessage(mg_connection* connection, const mg_http_message* http_ms
 	if (!http_msg) {
 		reply.status = eHTTPStatusCode::BAD_REQUEST;
 		reply.message = "{\"error\":\"Invalid Request\"}";
-	} else if (ValidateAuthentication(http_msg)) {
-		
-		// convert method from cstring to std string
+	} else {
+		// All authentication is now handled by middleware chain
+		// Convert method from cstring to enum
 		std::string method_string(http_msg->method.buf, http_msg->method.len);
-		// get method from mg to enum
 		const eHTTPMethod method = magic_enum::enum_cast<eHTTPMethod>(method_string).value_or(eHTTPMethod::INVALID);
 
-		// convert uri from cstring to std string
+		// Extract URI and convert to lowercase
 		std::string uri(http_msg->uri.buf, http_msg->uri.len);
 		std::transform(uri.begin(), uri.end(), uri.begin(), ::tolower);
 
-		// convert body from cstring to std string
-		std::string body(http_msg->body.buf, http_msg->body.len);
-
 		// Special case for websocket
 		if (uri == "/ws" && method == eHTTPMethod::GET) {
-			mg_ws_upgrade(connection, const_cast<mg_http_message*>(http_msg), NULL);
-			LOG_DEBUG("Upgraded connection to websocket: %d.%d.%d.%d:%i", MG_IPADDR_PARTS(&connection->rem.ip), connection->rem.port);
-			// return cause they are now a websocket
+			// Check if connection is from localhost/internal network
+			bool isInternal = false;
+			const uint8_t* ip = connection->rem.ip;
+			
+			// Check for IPv4-mapped IPv6 addresses (::ffff:x.x.x.x)
+			if (ip[0] == 0 && ip[1] == 0 && ip[2] == 0 && ip[3] == 0 &&
+				ip[4] == 0 && ip[5] == 0 && ip[6] == 0 && ip[7] == 0 &&
+				ip[8] == 0 && ip[9] == 0 && ip[10] == 0xff && ip[11] == 0xff) {
+				// IPv4 address is in bytes 12-15
+				uint8_t b1 = ip[12];
+				uint8_t b2 = ip[13];
+				
+				// Check for 127.x.x.x (localhost)
+				if (b1 == 127) {
+					isInternal = true;
+				}
+				// Check for 192.168.x.x
+				else if (b1 == 192 && b2 == 168) {
+					isInternal = true;
+				}
+				// Check for 10.x.x.x
+				else if (b1 == 10) {
+					isInternal = true;
+				}
+				// Check for 172.16.x.x to 172.31.x.x
+				else if (b1 == 172 && b2 >= 16 && b2 <= 31) {
+					isInternal = true;
+				}
+			}
+			
+			bool authenticated = isInternal; // Internal connections are automatically trusted
+			
+			// For external connections, require authentication cookie
+			if (!isInternal) {
+				const auto* cookieHeader = mg_http_get_header(const_cast<mg_http_message*>(http_msg), "Cookie");
+				if (cookieHeader) {
+					std::string cookieStr = std::string(cookieHeader->buf, cookieHeader->len);
+					if (!cookieStr.empty() && cookieStr.find("dashboardToken=") != std::string::npos) {
+						authenticated = true;
+					}
+				}
+			}
+			
+			if (authenticated) {
+				mg_ws_upgrade(connection, const_cast<mg_http_message*>(http_msg), NULL);
+				g_AuthenticatedWSConnections.insert(connection);
+				const char* connType = isInternal ? "internal" : "external";
+				LOG_DEBUG("Upgraded %s connection to websocket: %d.%d.%d.%d:%i", connType, MG_IPADDR_PARTS(&connection->rem.ip), connection->rem.port);
+			} else {
+				LOG_DEBUG("Rejected WebSocket connection - no valid authentication from %d.%d.%d.%d:%i", MG_IPADDR_PARTS(&connection->rem.ip), connection->rem.port);
+				reply.status = eHTTPStatusCode::UNAUTHORIZED;
+				reply.message = "{\"error\":\"Unauthorized\"}";
+				std::string headers = std::string("Content-Type: ") + ContentTypeToString(reply.contentType) + "\r\n";
+				if (!reply.location.empty()) {
+					headers += "Location: " + reply.location + "\r\n";
+				}
+				mg_http_reply(connection, static_cast<int>(reply.status), headers.c_str(), reply.message.c_str());
+			}
+			// return cause they are now a websocket or connection closed
 			return;
 		}
 
 		// Handle HTTP request
 		const auto routeItr = g_HTTPRoutes.find({method, uri});
 		if (routeItr != g_HTTPRoutes.end()) {
-			const auto& [_, route] = *routeItr;
-			route.handle(reply, body);
+			const auto& route = routeItr->second;
+			
+			// Create HTTP context from request
+			HTTPContext context;
+			PopulateHTTPContext(context, http_msg, connection);
+			
+			// Build complete middleware chain
+			std::vector<MiddlewarePtr> middlewareChain = g_GlobalMiddleware;
+			middlewareChain.insert(middlewareChain.end(), 
+								   route.middleware.begin(), 
+								   route.middleware.end());
+			
+			// Execute middleware chain
+			bool chainPassed = true;
+			for (const auto& middleware : middlewareChain) {
+				if (!middleware->Process(context, reply)) {
+					chainPassed = false;
+					LOG_DEBUG("Middleware %s rejected request to %s %s", 
+							  middleware->GetName().c_str(),
+							  context.method.c_str(),
+							  context.path.c_str());
+					break;
+				}
+			}
+			
+			// Call handler only if all middleware passed
+			if (chainPassed) {
+				route.handle(reply, context);
+			}
 		} else {
 			reply.status = eHTTPStatusCode::NOT_FOUND;
 			reply.message = "{\"error\":\"Not Found\"}";
 		}
-	} else {
-		reply.status = eHTTPStatusCode::UNAUTHORIZED;
-		reply.message = "{\"error\":\"Unauthorized\"}";
 	}
-	mg_http_reply(connection, static_cast<int>(reply.status), jsonContentType, reply.message.c_str());
+	
+	// Build headers
+	std::string headers = std::string("Content-Type: ") + ContentTypeToString(reply.contentType) + "\r\n";
+	if (!reply.location.empty()) {
+		headers += "Location: " + reply.location + "\r\n";
+	}
+	mg_http_reply(connection, static_cast<int>(reply.status), headers.c_str(), reply.message.c_str());
 }
 
 
+
 void HandleWSMessage(mg_connection* connection, const mg_ws_message* ws_msg) {
+	// Check if connection is authenticated
+	if (g_AuthenticatedWSConnections.find(connection) == g_AuthenticatedWSConnections.end()) {
+		LOG_DEBUG("Received websocket message from unauthenticated connection");
+		mg_ws_send(connection, "{\"error\":\"Unauthorized\"}", 23, WEBSOCKET_OP_TEXT);
+		return;
+	}
+	
 	if (!ws_msg) {
 		LOG_DEBUG("Received invalid websocket message");
 		return;
@@ -233,6 +427,15 @@ void Web::RegisterWSSubscription(const std::string& subscription) {
 	}
 }
 
+void Web::AddGlobalMiddleware(MiddlewarePtr middleware) {
+	if (!middleware) {
+		LOG_DEBUG("Attempted to add null middleware");
+		return;
+	}
+	g_GlobalMiddleware.push_back(middleware);
+	LOG_DEBUG("Registered global middleware: %s", middleware->GetName().c_str());
+}
+
 Web::Web() {
 	mg_log_set_fn(DLOG, NULL); // Redirect logs to our logger
 	mg_log_set(MG_LL_DEBUG);
@@ -293,6 +496,18 @@ void Web::SendWSMessage(const std::string subscription, json& data) {
 	// tell it the event type
 	data["event"] = subscription;
 	auto index = std::distance(g_WSSubscriptions.begin(), subItr);
+	
+	// Clean up closed connections from authenticated set
+	std::vector<mg_connection*> closedConnections;
+	for (auto* conn : g_AuthenticatedWSConnections) {
+		if (conn->is_closing) {
+			closedConnections.push_back(conn);
+		}
+	}
+	for (auto* conn : closedConnections) {
+		g_AuthenticatedWSConnections.erase(conn);
+	}
+	
 	for (auto *wc = Game::web.mgr.conns; wc != NULL; wc = wc->next) {
 		if (wc->is_websocket && wc->data[index] == SubscriptionStatus::SUBSCRIBED) {
 			mg_ws_send(wc, data.dump().c_str(), data.dump().size(), WEBSOCKET_OP_TEXT);

dWeb/Web.h

@@ -4,9 +4,13 @@
 #include <functional>
 #include <string>
 #include <optional>
+#include <vector>
+#include <memory>
 #include "mongoose.h"
 #include "json_fwd.hpp"
 #include "eHTTPStatusCode.h"
+#include "HTTPContext.h"
+#include "IHTTPMiddleware.h"
 
 // Forward declarations for game namespace
 // so that we can access the data anywhere
@@ -20,20 +24,35 @@ enum class eHTTPMethod;
 // Forward declaration for mongoose manager
 typedef struct mg_mgr mg_mgr;
 
+// Content type enum for HTTP responses
+enum class eContentType {
+	APPLICATION_JSON,
+	TEXT_HTML,
+	TEXT_CSS,
+	TEXT_JAVASCRIPT,
+	TEXT_PLAIN,
+	IMAGE_PNG,
+	IMAGE_JPEG,
+	APPLICATION_OCTET_STREAM
+};
+
 // For passing HTTP messages between functions
 struct HTTPReply {
 	eHTTPStatusCode status = eHTTPStatusCode::NOT_FOUND;
 	std::string message = "{\"error\":\"Not Found\"}";
+	eContentType contentType = eContentType::APPLICATION_JSON;
+	std::string location = "";  // For redirect responses (Location header)
 };
 
 // HTTP route structure
 // This structure is used to register HTTP routes
-// with the server. Each route has a path, method, and a handler function
-// that will be called when the route is matched.
+// with the server. Each route has a path, method, optional middleware,
+// and a handler function that will be called when the route is matched.
 struct HTTPRoute {
 	std::string path;
 	eHTTPMethod method;
-	std::function<void(HTTPReply&, const std::string&)> handle;
+	std::vector<MiddlewarePtr> middleware;
+	std::function<void(HTTPReply&, const HTTPContext&)> handle;
 };
 
 // WebSocket event structure
@@ -68,6 +87,8 @@ public:
 	void RegisterWSEvent(WSEvent event);
 	// Register WebSocket subscription to be handled by the server
 	void RegisterWSSubscription(const std::string& subscription);
+	// Add global middleware that applies to all routes
+	void AddGlobalMiddleware(MiddlewarePtr middleware);
 	// Returns if the web server is enabled
 	bool IsEnabled() const { return enabled; };
 	// Send a message to all connected WebSocket clients that are subscribed to the given topic