ref view is visible without authentication

Both /ref and /ref2 views need to be locked down to only visible by battle creator. Right now they are visible by everyone.

Should be easy enough to lock down similar to the /recap view BUT I am concerned that an unauthenticated socket connection to the zero sync server can access this data.

These are screen shots from a private tab with no authentication after loading the /ref/:id view. Anyone that connects to the websocket server could query for this data. Maybe they need to know the battle id, but this is still not good. Can we lock it down somehow in a middleware?

<img width="1912" height="1237" alt="Image" src="https://github.com/user-attachments/assets/addf71f9-50c1-4df9-af00-9e7512ff985f" />

<img width="1912" height="1237" alt="Image" src="https://github.com/user-attachments/assets/fc31feba-05c2-4efc-9e8b-f1e34a1bda60" />



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ref view is visible without authentication #141

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

ref view is visible without authentication #141

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions