diff --git a/controllers/auth.controller.js b/controllers/auth.controller.js
index 87425c1..daff027 100644
--- a/controllers/auth.controller.js
+++ b/controllers/auth.controller.js
@@ -20,22 +20,31 @@ class AuthController {
         return res.status(400).json(setResponse(errors, 'Validation failed', 400));
       }
 
+      // Convert nomor HP ke format +62
       if (value.phone && value.phone.startsWith('0')) {
         value.phone = '+62' + value.phone.slice(1);
       }
 
+      // Register user baru (is_approve default 0)
       const { user, tokens } = await AuthService.register(value);
 
-      // Set refresh token in cookie
+      // Set refresh token di cookie
       res.cookie('refreshToken', tokens.refreshToken, {
         httpOnly: true,
-        secure: false, //masih dev
+        secure: false, // masih dev
         sameSite: 'lax',
         maxAge: 7 * 24 * 60 * 60 * 1000 // 7 hari
       });
 
       return res.status(201).json(
-        setResponse({ user, accessToken: tokens.accessToken }, 'User registered successfully', 201)
+        setResponse(
+          {
+            user: { ...user, approved: false }, // user belum disetujui
+            accessToken: tokens.accessToken
+          },
+          'User registered successfully. Waiting for admin approval.',
+          201
+        )
       );
     } catch (err) {
       return res.status(err.statusCode || 500).json(
@@ -68,7 +77,7 @@ class AuthController {
 
       const { user, tokens } = await AuthService.login({ email, password });
 
-      // Set refresh token in cookie
+      // Set refresh token di cookie
       res.cookie('refreshToken', tokens.refreshToken, {
         httpOnly: true,
         secure: false, // masih dev
@@ -76,8 +85,20 @@ class AuthController {
         maxAge: 7 * 24 * 60 * 60 * 1000 // 7 hari
       });
 
+      let message = 'Login successful';
+      if (!user.is_approve) {
+        message = 'Login successful. Limited access until approved.';
+      }
+
       return res.status(200).json(
-        setResponse({ user, accessToken: tokens.accessToken }, 'Login successful', 200)
+        setResponse(
+          {
+            user: { ...user, approved: !!user.is_approve },
+            accessToken: tokens.accessToken
+          },
+          message,
+          200
+        )
       );
     } catch (err) {
       return res.status(err.statusCode || 500).json(
@@ -120,4 +141,4 @@ class AuthController {
   }
 }
 
-module.exports = AuthController;
+module.exports = AuthController;
\ No newline at end of file