Skip to content

[FEATURE] Require authentication on trip schedule endpoints #209

Description

@BreakableHoodie

🚀 Feature Description

The trip schedule endpoints currently return Metrolinx GTFS data without requiring authentication, making them effectively a public data feed. This needs to be resolved before going live.

💡 Problem Statement

The Metrolinx API Access and Use Agreement (§7a) prohibits redistributing Data within your own API or feed. The following endpoints return GTFS-derived data and are currently unprotected:

  • `GET /trip-schedule/search/round-trip-kitchener-union`
  • `GET /trip-schedule/search`

The controller even includes a comment acknowledging this: `// route doesn't need to be protected because it's public information` — however the ToS does not make an exception for publicly available data; it prohibits redistribution regardless. Any third party can currently call these endpoints directly, which constitutes a data feed.

🎯 Proposed Solution

Apply `AuthGuard` to both trip schedule endpoints so that only authenticated app users can access them. This ensures the data is only accessible as part of the intended user flow, not as a standalone API.

🔄 User Story

As a legal/compliance stakeholder, I want trip schedule data to be accessible only to authenticated users so that the app remains compliant with the Metrolinx API terms of use.

📋 Acceptance Criteria

  • `GET /trip-schedule/search/round-trip-kitchener-union` requires a valid Bearer token
  • `GET /trip-schedule/search` requires a valid Bearer token
  • Unauthenticated requests return `401 Unauthorized`
  • Existing authenticated flows continue to work

🔗 Related Issues

Related to Metrolinx API ToS compliance review.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions