Some features on your site should only be accessible after the user logs in, such as the ability to add items to the cart or complete an order. Make sure to redirect users to the login page if they are trying to perform these tasks and are not signed in.
When trying to access protected resources, make sure the session identifier is always being passed in with your request. On the backend, check the ID to make sure the user is authorized before returning the requested information. If the user is not authorized, return a 401 Unauthorized response and redirect the user accordingly.
One option is to write an authentication middleware that can perform this ID check, and add that in front of the API endpoints that require protection.
Some features on your site should only be accessible after the user logs in, such as the ability to add items to the cart or complete an order. Make sure to redirect users to the login page if they are trying to perform these tasks and are not signed in.
When trying to access protected resources, make sure the session identifier is always being passed in with your request. On the backend, check the ID to make sure the user is authorized before returning the requested information. If the user is not authorized, return a 401 Unauthorized response and redirect the user accordingly.
One option is to write an authentication middleware that can perform this ID check, and add that in front of the API endpoints that require protection.