I’m a little confused with this article. It uses really bad practices without alerting the reader that it’s just a demo and that you should never do that for real:
- the solution given to give permission to the “room” API endpoint is to give all permission (read and write) to everyone, meaning anyone can create/delete/update any room while we only need read access
- passwords are stored in plain text
- authentication works by getting all the users/password in the browser (so anyone can get the names and passwords of everyone!)
Also, the code on GitHub is only the Next part: it misses the Strapi part.