Currently, API routes validate the sessions in requests using the withUserSession middleware. This ensures authentication, but we are still lacking authorization for some requests.
For instance, a request to GET /user/me should only allow the user with that username to successfully get a response. To achieve that, we can:
use the id we pull from the session info in the withUserSession and query the db for the related username.
Currently, API routes validate the sessions in requests using the
withUserSessionmiddleware. This ensures authentication, but we are still lacking authorization for some requests.For instance, a request to
GET /user/meshould only allow the user with that username to successfully get a response. To achieve that, we can:withUserSessionand query the db for the related username.