Objective
This ticket will be the pre-requisite for the admin tickets or the ones in which users will make changes to their own profile because we must make sure that the currently logged in user is the one trying to make changes to their own profile.
TLDR - Implement server-side session checks for all modifying API routes and Server Actions (POST, PATCH, DELETE) to ensure proper authorization.
User story
As a developer, I want to secure our backend endpoints so that:
-
Only users with an "admin" role can perform administrative actions.
-
Users can only modify data that belongs to them (e.g., their own user profile).
This will prevent unauthorized access and protect user data integrity.
Acceptance Criteria
- Admin-Only Authorization:
A reusable function or middleware pattern is created to check if the currently authenticated user has a role of admin in their session.
This check must be applied to all API routes or Server Actions intended for admin use (/admin/...)
If the user is not authenticated OR their role is not admin, the endpoint must return a 403 Forbidden error response.
- User Ownership Authorization:
A reusable function or pattern is created to check if the authenticated user's ID matches the ID of the resource they are trying to modify.
This check must be applied to all relevant endpoints (PATCH their own artworks or details in their profile, POST /artworks).
The check should compare session.user.id (or equivalent) against the resource ID (e.g., [id] from the route parameters or a userId in the request body).
If the user is not authenticated OR the IDs do not match, the endpoint must return a 403 Forbidden or 401 Unauthorized error response.
- Comprehensive Coverage:
All existing and future POST, PATCH, and DELETE API routes and Server Actions must implement one of these checks (or another appropriate session check). But this task is embedded within every backend user story, so the dev implementing this ticket could communicate this new functionality to the team so they can utilize these checks in their stories!
Objective
This ticket will be the pre-requisite for the admin tickets or the ones in which users will make changes to their own profile because we must make sure that the currently logged in user is the one trying to make changes to their own profile.
TLDR - Implement server-side session checks for all modifying API routes and Server Actions (POST, PATCH, DELETE) to ensure proper authorization.
User story
As a developer, I want to secure our backend endpoints so that:
Only users with an "admin" role can perform administrative actions.
Users can only modify data that belongs to them (e.g., their own user profile).
This will prevent unauthorized access and protect user data integrity.
Acceptance Criteria
A reusable function or middleware pattern is created to check if the currently authenticated user has a role of admin in their session.
This check must be applied to all API routes or Server Actions intended for admin use (/admin/...)
If the user is not authenticated OR their role is not admin, the endpoint must return a 403 Forbidden error response.
A reusable function or pattern is created to check if the authenticated user's ID matches the ID of the resource they are trying to modify.
This check must be applied to all relevant endpoints (PATCH their own artworks or details in their profile, POST /artworks).
The check should compare session.user.id (or equivalent) against the resource ID (e.g., [id] from the route parameters or a userId in the request body).
If the user is not authenticated OR the IDs do not match, the endpoint must return a 403 Forbidden or 401 Unauthorized error response.
All existing and future POST, PATCH, and DELETE API routes and Server Actions must implement one of these checks (or another appropriate session check). But this task is embedded within every backend user story, so the dev implementing this ticket could communicate this new functionality to the team so they can utilize these checks in their stories!