Implement user authentication and roles (JWT) #9
Description
Goal
Add user accounts and role-based access control so we can distinguish admins from students and protect admin-only endpoints.
Acceptance criteria
- User model with email, password hash, and role (at minimum: admin, student).
- Register and login endpoints implemented.
- JWT-based authentication issuing access tokens; protected endpoints accept JWT.
- Role-checking middleware/dependency for admin-only endpoints.
- README updated with auth setup and how to create an initial admin user.
Notes
- Keep password hashing secure (bcrypt).
- Keep tokens short-lived for access and consider refresh tokens if needed later.
Estimate: medium (3–8 hours).