Hi. I've created a giant app, and somewhere along the near-end I've realized that for authentication, I only authenticate the user. So if they have any of the id's, and any of the endpoints, bam - they can do anything.
To make it so the logged in user can only query data related to them, do I need to authenticate all my tables, or just use a precondition?
I'm assuming that the precondition would be easiest to implement:
If input: company =/= extras.company, then don't query. (Where extras.company is set when the auth token is being created).
What would it look like for authenticating the tables? What would be the use-case for that?
Thanks so much!