Add authentication to the system so the server can identify users and restrict access to protected resources.
Users authenticate by submitting their email and password through a login form. The server verifies the credentials by comparing the submitted password to a hashed password stored in the database. Once verified, the server creates a session and stores a session ID in an HTTP-only cookie. On subsequent requests, this cookie allows the server to identify the user.
Authentication logic is implemented using session-based helpers. After a successful login, a session is created and associated with the user. Each protected request checks for a valid session before allowing access.
A requireAuth helper acts as a gatekeeper for protected routes. If a valid session is present, the request continues. If not, the request is rejected with an authorization error.
Protected API endpoints are tested by making requests while logged out. The server correctly rejects these requests and returns a 401 Unauthorized response with a clear error message indicating authentication is required.