Improve API Security by Implementing Authentication in the next stage

[YuechengHao626]

Description:

Currently, because we are on the beginning stage, the project does not implement any authentication or authorization mechanisms for the API. API requests are solely based on userId to fetch data. While this approach may suffice for the initial phase of development, as the project scales and sensitive or private data is exposed through the API, this method poses significant security risks.

By relying only on userId to access API data, the system lacks a robust security layer, making it vulnerable to several potential attacks, including unauthorized access, data exposure, and exploitation of user data.

Current Scenario:

API Access via userId:
Currently, the API requests require only the userId as a parameter to fetch data, without any form of authentication or token validation.

Risk:

Lack of Identity Verification: Without authentication, anyone who can guess or obtain a userId can potentially access that user's data.

Lack of Access Control: There is no control over which users can access which endpoints, leaving the API open to abuse or misuse.

Potential Data Exposure: As more sensitive data is exposed via the API (such as personal information, payment data, etc.), the risk of unauthorized access increases significantly.

Proposed Solution:

Implement Authentication:
JWT (JSON Web Token): Use JWT as the primary mechanism for securing API requests. JWT allows you to authenticate users and ensure that only authorized users can access certain endpoints.