diff --git a/src/main/java/com/vibevault/security/JwtAuthenticationFilter.java b/src/main/java/com/vibevault/security/JwtAuthenticationFilter.java
index 1adb9a8..3587d37 100644
--- a/src/main/java/com/vibevault/security/JwtAuthenticationFilter.java
+++ b/src/main/java/com/vibevault/security/JwtAuthenticationFilter.java
@@ -66,9 +66,9 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
                     .orElse(null);
             
             if (user != null && jwtService.isTokenValid(jwt, user)) {
-                // 设置用户角色（当前只有默认角色）
+                // 从用户实体获取角色
                 List<SimpleGrantedAuthority> authorities = Collections.singletonList(
-                        new SimpleGrantedAuthority("ROLE_USER")
+                        new SimpleGrantedAuthority(user.getRole())
                 );
                 
                 UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
diff --git a/src/main/java/com/vibevault/security/JwtService.java b/src/main/java/com/vibevault/security/JwtService.java
index a87fef7..b581346 100644
--- a/src/main/java/com/vibevault/security/JwtService.java
+++ b/src/main/java/com/vibevault/security/JwtService.java
@@ -69,6 +69,7 @@ public class JwtService {
 
             return username.equals(extractedUsername) && expirationDate.after(now);
         } catch (Exception e) {
+            // 任何异常都表示 token 无效
             return false;
         }
     }