DRY & KISS Principles

Which aspect of this authentication middleware violates the KISS principle?
const authenticate = async (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1] ||
    req.query.token ||
    req.cookies.token ||
    req.body.token;

  if (!token) {
    if (req.accepts('json')) {
      return res.status(401).json({ error: 'No token provided' });
    } else if (req.accepts('html')) {
      return res.redirect('/login');
    } else {
      return res.status(401).send('No token provided');
    }
  }

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    const user = await User.findById(decoded.userId)
      .select('-password')
      .populate('roles')
      .populate('permissions');

    if (!user) {
      throw new Error('User not found');
    }

    if (user.tokenVersion !== decoded.tokenVersion) {
      throw new Error('Token expired');
    }

    req.user = user;
    next();
  } catch (error) {
    if (req.accepts('json')) {
      return res.status(401).json({ error: error.message });
    } else if (req.accepts('html')) {
      return res.redirect('/login');
    } else {
      return res.status(401).send(error.message);
    }
  }
};
Next Question (15/20)