Authorize middleware should be renamed, it does not authorize, it simply checks that the userId is in the request body. This functionality should not be part of the standard starter

The routes which actually need authorization should only rely on validateToken (which can be renamed into authorize actually)