[Tracking] 🐛 BUG: Legacy security flaws

[torss]

Numerous security flaws were accumulated in previous release cycles. The goal now is to fix these and eventually reach a release (presumably) without security issues.

Many tracked issues are bound to be mostly API-related, although some changes in the front-end may also be necessary as part of the fixes.

Completed issues

• Fixed numerous severe user related security issues. #691 #709 This primarily dealt with issues in the UserController.ts.
• Fixed multiple severe course related security issues. #594 #653 #691 This primarily dealt with issues in the CourseController.ts.
• Updated the dependencies for security. #661
• Disabled unused but existent tutor role. #710 (This was no direct security issue.)
• Secured the static uploads route. #729
• Switch to cookie-based authentication. #840 (This is more of an improvement on the current localStorage-based system with separate mediaTokens than a vulnerability by itself - except that localStorage could be targeted by XSS attacks.)
• Comprehensive search for remaining legacy security flaws. #853
• Chat message forgery. #989 (Not really a legacy vulnerability, since the chat was introduced in the previous semester.)

Open issues

The audit (and now tracking) issue #853 describes various open vulnerabilities that may well not yet have their own issue (and thus aren't directly listed here either).