Currently the app is doing authorization on a per route basis.
This is not considered a best practice in the industry as its easy to leave loopholes in security.
The solution to this is "secure by default", which means that every route is restricted a the highest level, and exclusion are provided on a case-by-case basis.
e.g
the /login route has reduced security as the user must access it when unauthenticated.
Context
Currently the app is doing authorization on a per route basis. This is not considered a best practice in the industry as its easy to leave loopholes in security. The solution to this is "secure by default", which means that every route is restricted a the highest level, and exclusion are provided on a case-by-case basis. e.g the /login route has reduced security as the user must access it when unauthenticated.