Token should be required to heart an adventure

[ajsharma]

There's no security check for the heart controller endpoint, so anyone with the adventure id could send a POST and get access.