API's need to be protected #165
Description
Description:
Currently our api calls are not protected. This means anyone with Postman or similar tools can just pull data from our databases with no authentication.
What needs to be done is that every API needs to be reviewed to see what needs authentication, and also what data is given to the user based on the user's access level.
TODO:
- Better auth sends the authentication cookie with cookie requests, we can use it api side to authenticate users and get the user data of the one making the api call
- look at what Rainbow Roundup project did, I can also help with this. This is an API of theirs that does auth pretty well.
- Restrict the prisma db calls based on the permission level of the user
- ie: A regular viewer should not be able to get other user's email unless there is a specific reason for them to
- One good way is to look the UI element of the thing calling the api
- If the UI element is not showing user emails, then there is no reason for the api call to return user emails.
- Or if the UI does not allow a regular user to create a user, then the api should also not
- Though this is not definitive, if what the UI does not make sense, dont allow it with api. We can modify the UI to make sense if need be