from functools import wraps
from flask_jwt_extended import get_jwt
from flask import abort


def role_required(*required_roles):
    def wrapper(fn):
        @wraps(fn)
        def decorator(*args, **kwargs):
            claims = get_jwt()
            user_roles = claims.get("roles", [])
            if not any(role in user_roles for role in required_roles):
                abort(403, description="Access forbidden: insufficient role")
            return fn(*args, **kwargs)
        return decorator
    return wrapper