Currently anyone can delete anyone else's order, add auth such that only logged in users as well as the one who created an order can delete that order
Use any method for auth(custom with passport.js or 3rd party with google, fb etc)
When user tries to delete an order a new page is opened where user can register or log in after that check if logged in user is the one who created that order if yes then delete the order and redirect to landing page else do not delete the order and redirect to landing page