diff --git a/server/api/updates/[id].get.js b/server/api/updates/[id].get.js
index d17ecaf..84dc4d7 100644
--- a/server/api/updates/[id].get.js
+++ b/server/api/updates/[id].get.js
@@ -1,22 +1,13 @@
-import jwt from "jsonwebtoken";
 import Update from "../../models/update.js";
-import { connectDB } from "../../utils/mongoose.js";
 
 export default defineEventHandler(async (event) => {
-  await connectDB();
-
   const id = getRouterParam(event, "id");
-  const token = getCookie(event, "auth-token");
-  let memberId = null;
-
-  // Check if user is authenticated
-  if (token) {
-    try {
-      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
-      memberId = decoded.memberId;
-    } catch (err) {
-      // Token invalid, continue as non-member
-    }
+  let memberId = null
+  try {
+    const member = await requireAuth(event)
+    memberId = member._id.toString()
+  } catch {
+    // Not authenticated — continue with public-only access
   }
 
   try {
diff --git a/server/api/updates/index.get.js b/server/api/updates/index.get.js
index f6f5d90..517f77e 100644
--- a/server/api/updates/index.get.js
+++ b/server/api/updates/index.get.js
@@ -1,21 +1,12 @@
-import jwt from "jsonwebtoken";
 import Update from "../../models/update.js";
-import { connectDB } from "../../utils/mongoose.js";
 
 export default defineEventHandler(async (event) => {
-  await connectDB();
-
-  const token = getCookie(event, "auth-token");
-  let memberId = null;
-
-  // Check if user is authenticated
-  if (token) {
-    try {
-      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
-      memberId = decoded.memberId;
-    } catch (err) {
-      // Token invalid, continue as non-member
-    }
+  let memberId = null
+  try {
+    const member = await requireAuth(event)
+    memberId = member._id.toString()
+  } catch {
+    // Not authenticated — continue with public-only access
   }
 
   const query = getQuery(event);
diff --git a/server/api/updates/user/[id].get.js b/server/api/updates/user/[id].get.js
index d5de64a..527195e 100644
--- a/server/api/updates/user/[id].get.js
+++ b/server/api/updates/user/[id].get.js
@@ -1,23 +1,14 @@
-import jwt from "jsonwebtoken";
 import Update from "../../../models/update.js";
 import Member from "../../../models/member.js";
-import { connectDB } from "../../../utils/mongoose.js";
 
 export default defineEventHandler(async (event) => {
-  await connectDB();
-
   const userId = getRouterParam(event, "id");
-  const token = getCookie(event, "auth-token");
-  let currentMemberId = null;
-
-  // Check if user is authenticated
-  if (token) {
-    try {
-      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
-      currentMemberId = decoded.memberId;
-    } catch (err) {
-      // Token invalid, continue as non-member
-    }
+  let currentMemberId = null
+  try {
+    const member = await requireAuth(event)
+    currentMemberId = member._id.toString()
+  } catch {
+    // Not authenticated — continue with public-only access
   }
 
   const query = getQuery(event);