Add authentication and authorization to API routes #42
Description
Description
The API routes for templates and variables currently lack authentication and authorization checks. This needs to be addressed to ensure user data isolation and security as described in the project roadmap.
Affected Routes
/api/variables(GET, PATCH) - app/api/variables/route.ts/api/templates(GET, POST) - app/api/templates/route.ts
Requirements
- Implement authentication middleware for API routes
- Validate user session/token before allowing access
- Scope database queries to the authenticated user's data only
- Return 401/403 for unauthorized requests
- Ensure user data isolation as per the "private by default" design
Context
This issue was identified during code review of PR #37 which added loading states and API routes. Authentication is planned as part of the roadmap (GitHub/Google OAuth integration) but was intentionally deferred from that PR's scope.
Related
- PR: feat: Add reusable loading states to all tools #37
- Discussion: feat: Add reusable loading states to all tools #37 (comment)
- Requested by: @rishabh3562
Acceptance Criteria
- Authentication middleware is implemented
- API routes validate user authentication before processing requests
- Database queries are scoped to authenticated user's data
- Unauthorized access returns appropriate HTTP status codes
- User data isolation is maintained across all API operations