picklechips
commented
5 years ago Just copying my comment from a PR here in case anyone decides to pick this up.
to make an endpoint protected all you have to do is add the verifyToken parameter as used here: https://github.com/CGUC/skybunk-server/blob/master/controllers/userController.js#L56
Then when sending a request at that endpoint you just have to include the users auth token. So in order to make our public endpoints only accessible to registered users, we'd first have to update the calls on the client-side to include the users token (also trivial) as to not break everything, then we can simply add verifyToken into the parameters of the endpoint.
What this does is adds a middleware onto that endpoint, so before entering it we first execute verifyToken as defined here: https://github.com/CGUC/skybunk-server/blob/master/helpers/authorization.js which checks for the users token and sends a 403 otherwise.
Some endpoints are completely public, but expose private information. e.g. some people have put their full addresses on their bio, which is public via the /users endpoint.
These endpoints should be only accessible when requested with a valid token. We may want to make all endpoints require tokens, other than those related to registration.