const jwt = require('jsonwebtoken'); const JWT_SECRET = process.env.JWT_SECRET || 'change-this-secret'; const authenticate = (req, res, next) => { try { const token = req.headers.authorization?.split(' ')[1]; if (!token) return res.status(401).json({ error: 'No token' }); req.user = jwt.verify(token, JWT_SECRET); next(); } catch (error) { res.status(401).json({ error: 'Invalid token' }); } }; const authorize = (roles) => (req, res, next) => { if (!roles.includes(req.user.role)) return res.status(403).json({ error: 'Forbidden' }); next(); }; module.exports = { authenticate, authorize, JWT_SECRET };