// Admin-only route to add points app.post('/admin/add-points', verifyAdmin, async (req, res) => { const { userId, points } = req.body; await Users.updateOne({ _id: userId }, { $inc: { points } }); res.json({ success: true, message: ${points} points added }); }); function verifyAdmin(req, res, next) { // Example: Check JWT token for admin role const token = req.headers.authorization?.split(' ')[1]; if (!token) return res.status(403).json({ error: 'Unauthorized' }); const decoded = jwt.verify(token, process.env.JWT_SECRET); if (decoded.role !== 'admin') return res.status(403).json({ error: 'Forbidden' }); next(); }