Add detailed logging to auth flow on backend and iOS

backend/src/middleware/auth.ts

@@ -8,8 +8,11 @@ export async function requireAuth(
   res: Response,
   next: NextFunction
 ): Promise<void> {
+  const tag = `[requireAuth] ${req.method} ${req.path}`;
+
   // 1. Session-based auth (web frontend)
   if (req.session?.user) {
+    console.log(`${tag} -> session auth OK (user: ${req.session.user.id})`);
     req.user = req.session.user as AuthenticatedUser;
     return next();
   }
@@ -18,17 +21,24 @@ export async function requireAuth(
   const authHeader = req.headers.authorization;
   if (authHeader?.startsWith('Bearer ')) {
     const token = authHeader.slice(7);
+    console.log(`${tag} -> Bearer token present (first 20 chars: ${token.slice(0, 20)}…)`);
     try {
-      // Verify the backend-signed JWT locally — no IDP network call needed.
       req.user = verifyBackendJwt(token);
+      console.log(`${tag} -> JWT auth OK (user: ${req.user.id})`);
       return next();
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
+      console.warn(`${tag} -> JWT verification failed: ${message}`);
       res.status(401).json({ error: `Unauthorized: ${message}` });
       return;
     }
   }
 
+  if (authHeader) {
+    console.warn(`${tag} -> Authorization header present but not a Bearer token: "${authHeader.slice(0, 30)}…"`);
+  } else {
+    console.warn(`${tag} -> No session and no Authorization header`);
+  }
   res.status(401).json({ error: 'Unauthorized' });
 }