Currently the API returns everyone's todos to each user. This is not the expected behavior. We would like that each user has access to only his or her tasks.
Go back to the
ApiController and update the
Contextobject contains four properties:
- the express request object,
- an empty object called
statewhich can be used to share data between hooks,
- and the
userobject that is defined if a user logged in.
Refresh the todo-list page. You should only see the todos of the user with whom you logged in.
Yet, if you try to create a new to-do, it will disappear upon page refresh. This is perfectly normal since we do not specify its owner upon creation.
As for the delete feature, you also need to restrict its access. Users should only be able to delete their todos.
Update the api controller.
The application is now working properly.