module.exports = function requireAuth(req, res, next) {
  if (req.session?.user?.authenticated) {
    return next();
  }

  // chamadas AJAX / API
  if (req.xhr || req.headers.accept?.includes('application/json')) {
    return res.status(401).json({ error: 'not_authenticated' });
  }

  return res.redirect('/login');
};