# IGF HR Backend

Auth against **admins** collection only (same MongoDB as CRM). No people collection.

## Auth flow

- **POST /api/login** (public): Manager + Employee only. Body `{ email, password }`. Rejects `role_name === "IGF SuperAdmin"` (403). Password: bcrypt or legacy md5/plain. Returns JWT.
- **POST /api/admin/login** (public): SuperAdmin only. Same body; allows only `role_name === "IGF SuperAdmin"`. Returns JWT.
- **Auth middleware**: skips both login routes. Verifies JWT, loads Admin, sets `req.admin` and `req.role`: `"IGF Manager"` → manager, `"IGF SuperAdmin"` → superadmin, else → employee.
- **GET /api/me** (protected): returns `{ _id, username, email, role }` (role: manager | employee | superadmin).

## Files

| File | Purpose |
|------|--------|
| `server.js` | POST /api/login, POST /api/admin/login, auth middleware, GET /api/me. |
| `middleware/authMiddleware.js` | Skips POST /api/login and POST /api/admin/login; JWT → Admin → req.role. |
| `models/Admin.js` | Admin model (admins collection, role_name). |

## API

- **POST /api/login** – Manager/Employee. Body: `{ email, password }`. Returns `{ token, username, email }` or 401/403.
- **POST /api/admin/login** – SuperAdmin only. Same body. Returns token or 401/403.
- **GET /api/me** (protected) – `{ _id, username, email, role }`.

All /api except the two login endpoints require `Authorization: Bearer <token>`.