from functools import wraps
from flask_jwt_extended import verify_jwt_in_request, get_jwt
from flask import jsonify

def roles_required(*roles):
    def wrapper(fn):
        @wraps(fn)
        def decorator(*args, **kwargs):
            verify_jwt_in_request()
            claims = get_jwt()
            user_roles = claims.get("roles", [])
            if not any(role in roles for role in user_roles):
                return jsonify(msg="Forbidden: insufficient permissions"), 403
            return fn(*args, **kwargs)
        return decorator
    return wrapper