• give an authToken on login/register in header
• add auth middleware to server
• check if this user has current collection in his list of collections

READ route doesn't have middleware. All collections are public ("shared") by default for now.