Implement Role-Based Access Control (RBAC) to restrict access to the /users/toggle-status endpoint so that only authorized users (e.g., Admin role) can perform bulk status toggling.
What Needs to Be Done:
Add a role field to the User schema (e.g., admin, user).
Assign a default role during user registration.
Create an authorization middleware (e.g., authorizeRole) that checks the user’s role.
Restrict the toggle endpoint so that only users with the admin role can access it.
Return a 403 Forbidden response if a non-admin user attempts to access the endpoint.
Ensure existing authentication flow remains intact.
The goal is to enhance security and align the API with real-world production access control standards.
Implement Role-Based Access Control (RBAC) to restrict access to the /users/toggle-status endpoint so that only authorized users (e.g., Admin role) can perform bulk status toggling.
What Needs to Be Done:
Add a role field to the User schema (e.g., admin, user).
Assign a default role during user registration.
Create an authorization middleware (e.g., authorizeRole) that checks the user’s role.
Restrict the toggle endpoint so that only users with the admin role can access it.
Return a 403 Forbidden response if a non-admin user attempts to access the endpoint.
Ensure existing authentication flow remains intact.
The goal is to enhance security and align the API with real-world production access control standards.