server/middleware/auth.js

const jwt = require('jsonwebtoken');

const authMiddleware = (req, res, next) => {
    // Check for token in headers
    const authHeader = req.header('Authorization');

    if (!authHeader || !authHeader.startsWith('Bearer ')) {
        return res.status(401).json({ success: false, message: "Kirish huquqi yo'q. Token topilmadi." });
    }

    const token = authHeader.replace('Bearer ', '');
    const secret = process.env.JWT_SECRET || 'fallback_secret_for_dev_only';

    try {
        const decoded = jwt.verify(token, secret);
        req.user = decoded; // add user payload to request
        next();
    } catch (err) {
        res.status(401).json({ success: false, message: "Token yaroqsiz yoki muddati o'tgan." });
    }
};

module.exports = authMiddleware;