const jwt = require("jsonwebtoken");
const { sendError } = require("../utils/http");

function auth(req, res, next) {
  const header = req.headers.authorization;
  if (!header) return sendError(res, 401, "Missing token");

  const token = header.split(" ")[1];
  if (!token) return sendError(res, 401, "Invalid token format");

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = decoded; // id + role
    next();
  } catch (err) {
    sendError(res, 401, "Invalid or expired token");
  }
}

module.exports = auth;