Node Blog API: Clarify authentication/protect routes requirement(s)

[MaoShizhong]

Checks

• [X] This is not a duplicate of an existing issue (please have a look through our open issues list to make sure)
• [X] I have thoroughly read and understand The Odin Project Contributing Guide
• [X] Would you like to work on this issue?

Describe your suggestion

Currently, the Node Blog API does not have any spec requirement relating to protecting routes in any way. Given that the project comes directly after learning about stuff like JWTs, many people (myself included) naturally opted to include some kind of JWT implementation to protect certain routes although many have also come to the Discord server to ask about whether they're supposed to, since there is no spec requirement.

I do think it makes sense to include route protection in this project (else I could find someone's endpoints and just start deleting/posting my own blogs via Postman, for example), and for learners to decide what routes would need protecting and what routes wouldn't.

I think it also makes sense that learners perhaps try and implement route protection via JWTs given the previous lesson content. However, given that sessions are also perfectly viable (and have been introduced even earlier for Members Only), it may be worth either mentioning it as a possibility (but requiring JWTs for this project) or even suggesting it as an option.

I.e. if it is agreed that the project should include some requirement for including route protection then either:

• Say that both JWTs and sessions are viable and the learner may wish to decide which they implement
• Say that while both are viable options, for this project the learner should attempt it via JWTs specifically

Path

Node / JS

Lesson Url

https://www.theodinproject.com/lessons/nodejs-blog-api

(Optional) Discord Name

No response

(Optional) Additional Comments

No response