Late in the project, we discovered that you can edit local storage variables and view someone else's library and add books, delete, etc. If we had more sensitive information, this would be a big issue. We don't currently, but I think it's still a good idea to secure user information. We are using sessions and the backend currently only checks to see if there is a user object, not if the user making the request is who they say they are. You always have access to the user object in the session as long as they are signed in. With that in mind, I think the backend endpoints can be cleaned up a bit by not asking for a user ID ever. Other information should go in the body as to not cause any other vulnerabilities as well.
Late in the project, we discovered that you can edit local storage variables and view someone else's library and add books, delete, etc. If we had more sensitive information, this would be a big issue. We don't currently, but I think it's still a good idea to secure user information. We are using sessions and the backend currently only checks to see if there is a user object, not if the user making the request is who they say they are. You always have access to the user object in the session as long as they are signed in. With that in mind, I think the backend endpoints can be cleaned up a bit by not asking for a user ID ever. Other information should go in the body as to not cause any other vulnerabilities as well.