LOGIN
Frontend:
- User enters credentials → POST /api/auth/login → Cookie stored + user info returned → Save in AuthContext → Redirect based on role
Backend:
- Verify credentials → Generate JWT → Set cookie + return user info

ACCESS PROTECTED ROUTE
Frontend:
- ProtectedRoute reads AuthContext → if loading: show spinner → if user & role ok: render page → else redirect
Backend:
- Optional: route middleware `protect` + `restrictTo(role)` ensures API security

LOGOUT
Frontend:
- Call /api/auth/logout → clears cookie → clear AuthContext → redirect
Backend:
- Clears JWT cookie