Skip to content

Security: JWT authentication

Summary

JWT-based authentication for protected routes.

User story

As a user, I want secure login so my actions are authenticated and authorized.

Scope

  • Auth routes: /auth/register, /auth/login.
  • JWT issued on login; authMiddleware verifies and injects req.userId.
  • Protect CRUD (owner checks for update/delete) and attendance endpoints.

Tasks

  • User model (hashed passwords).
  • Register/Login endpoints + tests.
  • Middleware, attach to protected routes.
  • Error responses: 401/403.
  • README/Wiki: security notes & .env guidance.

Acceptance criteria

  • Valid credentials → 200 + token; invalid → 401.
  • Protected routes require Authorization header.
  • Owner-only actions enforced (403 otherwise).

Test notes

  • Expired token → 401; malformed token → 401.

Dependencies

  • Blocks: CRUD, Join/Leave features.