sam-api/app/Http/Middleware/CheckPermission.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use App\Services\AdminPermissionService;

class CheckPermission
{
    public function handle(Request $request, Closure $next, string $permissionCode)
    {
        $userToken = $request->input('user_token');
        if (!$userToken) {
            $userToken = $request->header('X-API-KEY');
            if (!$userToken) {
                return response()->json(['error' => '토큰이 없습니다.'], 401);
            }
        }

        if (!AdminPermissionService::hasPermission($userToken, $permissionCode)) {
            return response()->json(['error' => '권한이 없습니다.'], 403);
        }

        return $next($request);
    }
}