The problem arises because, in the current implementation of the APIs, a company ID explicitly has to be sent to the server. This is not a secure way since if one user knows the UID of another user, they can fetch that user's job details.
To fix this, we need to implement a custom middleware for the JWT authorization. The JWT token will contain the user's info, such as their UID and it will parse the JWT Token and find the user's UID and carry the operations as before. This way, the client-side cannot explicitly send the company UID. And if they somehow hamper with the JWT token, it won't be validated and throw an unauthorized response.
The problem arises because, in the current implementation of the APIs, a company ID explicitly has to be sent to the server. This is not a secure way since if one user knows the UID of another user, they can fetch that user's job details.
To fix this, we need to implement a custom middleware for the JWT authorization. The JWT token will contain the user's info, such as their UID and it will parse the JWT Token and find the user's UID and carry the operations as before. This way, the client-side cannot explicitly send the company UID. And if they somehow hamper with the JWT token, it won't be validated and throw an unauthorized response.