const jwt = require('jsonwebtoken')

module.exports = (req, res, next) => {
  req.user = null // default selalu null

  const authHeader = req.headers['authorization']
  if (authHeader) {
    const token = authHeader.split(' ')[1]
    if (token) {
      try {
        const decoded = jwt.verify(token, process.env.JWT_SECRET)
        req.user = decoded
      } catch (err) {
        // invalid → tetap null
      }
    }
  }

  next()
}