diff --git a/src/server.js b/src/server.js
index 5014071..2ef5381 100644
--- a/src/server.js
+++ b/src/server.js
@@ -16,22 +16,48 @@ const users = [
 
 // --- LOGIN ROUTE ---
 app.post("/login", (req, res) => {
+  const {username, password} = req.body;
+  const user=users.find((u)=>u.username===username && u.password===password)
+  if (!user){
+    return  res.status(401).json({"message": "Invalid credentials" })
+  }
+  else{
+    const token = jwt.sign({ username: user.username, role: user.role }, JWT_SECRET);
+    return res.json({ token });
+  }
   
 });
 
 // --- AUTH MIDDLEWARE ---
 const authenticate = (req, res, next) => {
-  
+  const authHeader = req.headers['authorization']
+  if (!authHeader){
+    return res.status(401).json({ message: "Missing token" })
+  }
+  if (!authHeader.startsWith("Bearer ")){
+    return res.status(403).json({ message: "Invalid token" })
+  }
+  const token = authHeader.split(" ")[1]
+  jwt.verify(token, JWT_SECRET, (err,decoded)=>{
+    if (err) {
+      return res.status(403).json({ message: "Invalid token" })
+    }
+req.user = decoded
+  next()
+  });
 };
-
 // --- ROLE CHECK MIDDLEWARE ---
 const authorize = (allowedRoles) => (req, res, next) => {
-  
+  if (!allowedRoles.includes(req.user.role)){
+    return res.status(403).json({"message": "Access denied"})
+  }
+  next()
 };
 
 // --- PROTECTED ROUTES ---
 app.get("/admin", authenticate, authorize(["admin"]), (req, res) => {
   res.send("Welcome, admin!");
+
 });
 
 app.get("/teacher", authenticate, authorize(["teacher"]), (req, res) => {