no more 401 error for publicly browsing user

backend/middleware/apiLogger.js

@@ -37,7 +37,10 @@ const apiLogger = (req, res, next) => {
     };
 
     if (res.statusCode >= 400 && res.statusCode < 500) {
-      reqLogger.warn('API Response - Client Error', responseData);
+      // Don't log 401s for /users/profile - these are expected auth checks
+      if (!(res.statusCode === 401 && req.url === '/profile')) {
+        reqLogger.warn('API Response - Client Error', responseData);
+      }
     } else if (res.statusCode >= 500) {
       reqLogger.error('API Response - Server Error', responseData);
     } else {

backend/middleware/auth.js

@@ -58,4 +58,40 @@ const authenticateToken = async (req, res, next) => {
   }
 };
 
-module.exports = { authenticateToken };
+// Optional authentication - doesn't return 401 if no token, just continues
+const optionalAuth = async (req, res, next) => {
+  // Try to get token from cookie
+  let token = req.cookies?.accessToken;
+
+  if (!token) {
+    // No token is fine for optional auth, just continue
+    req.user = null;
+    return next();
+  }
+
+  try {
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const userId = decoded.id;
+
+    if (!userId) {
+      req.user = null;
+      return next();
+    }
+
+    const user = await User.findByPk(userId);
+
+    if (!user) {
+      req.user = null;
+      return next();
+    }
+
+    req.user = user;
+    next();
+  } catch (error) {
+    // Token invalid/expired is fine for optional auth
+    req.user = null;
+    next();
+  }
+};
+
+module.exports = { authenticateToken, optionalAuth };