Legal API: when auth'ing a call, should validate Account ID

[severinbeauvais]

Example:

1. go to Auth Web and log in (eg, BCREG0001)
2. observe that the first account is set (eg, asdfsd3333)
3. change to another account (eg, Orange and Apple Inc)
4. from My Business Registry, open an entity (eg, https://dev.bcregistry.ca/business/CP0001311)
5. observe that the current account is unchanged (as above)
6. in another tab, copy-paste the same entity's URL (as above)
7. observe that the current account has been reset to the first account (eg, asdfsd3333), which is incorrect
8. observe that the entity dashboard loads successfully, which is incorrect

The issue in step 7 will be resolved in #10880.

The issue in step 8 is the subject of THIS ticket. When a call is made to the Legal API, the authentication/authorization step should validate the account ID -- the wrong account should not be able to access an entity's data (even though it's the same user in both cases).

I am not sure about the priority of this ticket. On the one hand, it should only happen when a user enters the URL manually (or restores a bookmark). Also, this issue has existed for some time. On the other hand, it may be serious that the wrong account is used to modify an entity...?

cc: @shabeeb-aot

[sienna-oldaccountdontuse]

Time-box research on this ticket: After we complete the time-boxed research, we are going to revisit this and re-estimate.

[mstanton1]

@lmcclung @davemck513 is this intended to be open. It's labelled as a P1 spike. If this closes the epic may be closed. If this is being pushed perhaps we take this out of the epic and close the epic?

[severinbeauvais]

The risk of not doing this is that a user could access or update an entity while using the wrong account.