Summary
JWT is required by the OpenAPI spec and declared in SecurityConfig, but no endpoint actually checks the caller's role before mutating data. SpiceDB permissions are defined but never enforced.
Tasks
Acceptance criteria
Depends on
Branch
rb-03-refimpl
Summary
JWT is required by the OpenAPI spec and declared in SecurityConfig, but no endpoint actually checks the caller's role before mutating data. SpiceDB permissions are defined but never enforced.
Tasks
Acceptance criteria
mvn testpasses with auth testsDepends on
Branch
rb-03-refimpl