torneos/app/Core/Auth.php

<?php

namespace App\Core;

final class Auth
{
    public static function user(): ?array
    {
        $token = Request::bearerToken();
        return $token ? Jwt::decode($token) : null;
    }

    public static function requireRole(array $roles): array
    {
        $user = self::user();
        if (!$user) {
            Response::error('No autenticado', 401);
            exit;
        }

        if (!in_array($user['role'], $roles, true)) {
            Response::error('No autorizado', 403);
            exit;
        }

        return $user;
    }
}