As an engineer, I want to stop access to backend API by Nginx

[raftmsohani]

Description: During studying recent zap scanner findings here, the backend api can be browsed, although it cannot be accessed by unauthorized user.

To increase security, the backend API can be stopped by Nginx (instead of backend) using similar approach as in here.

Acceptance Criteria:

• [ ] Authorize user can access the backend API /v1
• [ ] Unauthorized user cannot access backend and receives a message from Nginx instead of backend api response
• [ ] Testing Checklist has been run and all tests pass
• [ ] README is updated, if necessary

Tasks: Create a list of granular, specific work items that must be completed to deliver the desired outcomes of this issue

• [ ] Implement backend authorization in Nginx before granting access to the user
• [ ] Ensure all tests pass and user can submit file, etc. Ensure all automated (cypress) tests pass
• [ ] Run Testing Checklist and confirm all tests pass
• [ ] Write tests (unit, integration, cypress, etc)
  • [ ] /v1 endpoints can be access by an approved user with a valid session
  • [ ] /v1 endpoints return 403 for unapproved user
  • [ ] /v1 endpoints return 403 for user with invalid session
  • [ ] /v1 endpoints return 403 for user with no session

Notes:

• Implementing this approach can resolve other lower level owasp findings