Currently anyone can update anyone else's order, add auth such that only logged in users as well as the one who placed the order can only update the order
Use any method for auth(custom with passport.js or 3rd party with google, fb etc)
When user tries to update an order a new page is opened where user can register or log in
If successful then check if the same user created that order if that is true open the update page and let the user update the order