Add the authenticateToken middleware and authorisation checks to any routes you want to protect.
Test your protected routes with and without the Authorisation header, and try accessing different user IDs to verify that users can only modify their accounts.