import jwt from "jsonwebtoken"; const SECRET_KEY = process.env.SECRET_KEY || "supersecurekey"; /** * Adds `req.user = { id: }` * If no or bad token ➜ 401. */ export default function authenticateUser(req, res, next) { const token = req.headers.authorization?.split(" ")[1]; if (!token) return res.status(401).json({ error: "Authorization token required" }); try { const { id } = jwt.verify(token, SECRET_KEY); req.user = { id }; // attach the id for downstream use next(); } catch (err) { return res.status(401).json({ error: "Invalid or expired token" }); } }