How to Limit REST API to User-Specific Content

Question

I have a fairly simple API setup on a MEAN stack using PassportJS. I have no problems setting up my routes with no security (grabbing general data) and with user authentication

Answer 1

It seems that you are missing an api check on the userId

for e.g. you have a route like /api/:userId/data/:dataId and you would like to ensure that only users who are allowed to access this data item can do so. Then what you would need to do is check that the userId provided in your authentication token is the same as the userId in the api route!