diff --git a/src/server.js b/src/server.js
index 5014071..63e09f1 100644
--- a/src/server.js
+++ b/src/server.js
@@ -16,17 +16,41 @@ const users = [
 
 // --- LOGIN ROUTE ---
 app.post("/login", (req, res) => {
-  
+  const { username, password } = req.body;
+  const user = users.find(
+    (u) => u.username === username && u.password === password
+  );
+
+  if (!user) {
+    return res.status(401).json({ message: "Invalid credentials" });
+  }
+  const token=jwt.sign({username:user.username,role:user.role},JWT_SECRET)
+  res.json({ token });
 });
 
 // --- AUTH MIDDLEWARE ---
 const authenticate = (req, res, next) => {
-  
+  const authHeader= req.headers.authorization;
+  if(!authHeader){
+    return res.status(401).json({ "message": "Missing token" })
+  }
+  const token=authHeader.split(" ")[1];
+  try{
+    const decoded=jwt.verify(token,JWT_SECRET)
+    req.user=decoded;
+    next()
+
+  }catch(err){
+    return res.status(403).json({ "message": "Invalid token" })
+  }
 };
 
 // --- ROLE CHECK MIDDLEWARE ---
 const authorize = (allowedRoles) => (req, res, next) => {
-  
+  if (!allowedRoles.includes(req.user.role)){
+    return res.status(403).json({ message: "Access denied" });
+  }
+  next()
 };
 
 // --- PROTECTED ROUTES ---