- Add server-side authentication validation for all protected API endpoints - Create auth utility with requireAuth() function for session validation - Update CombinedDataRepository to filter data by authenticated user ID - Add findByUserId() method to CatchRecordRepository for user-specific queries - Replace client-side userId parameters with server-side session extraction - Use MongoDB aggregation with $lookup and $expr for secure user filtering - Return 401 errors for unauthenticated requests - Fix critical security vulnerability where users could see others' catch records Fixes: User data isolation bug where one user's catch records were used for everyone Security: Prevents unauthorized access to other users' Pokemon tracking data
Living Dex Tracker
A web app to track completion of a living Pokédex.
Developing
Cloned the repository you can install the dependencies with npm install, and start a development server:
npm run dev
# or start the server and open the app in a new browser tab
npm run dev -- --open
An example .env file is provided in the repository. You will need to copy .env.example to .env and fill in the values with your own credentials.
Once you have done this, you can seed the Pokédex data using the /api/seed endpoint. You will need to comment out the return; at the beginning of the GET function in /src/routes/api/seed.ts to do this. Make sure you remember to uncomment it afterwards.
Building
To create a production version:
npm run build
You can preview the production build with npm run preview.
Hosting
The app is hosted on Netlify at pokedex.jcreek.co.uk.
The Pokédex data is stored in a MongoDB database hosted on MongoDB Cloud.
User authentication is handled by Supabase Auth.
Dependencies
The living dex tracker's sprite collection is taken from PokéAPI Sprites, which is licensed under the Creative Commons CC0 1.0 Universal license.