🚀 Feature Description
The trip schedule endpoints currently return Metrolinx GTFS data without requiring authentication, making them effectively a public data feed. This needs to be resolved before going live.
💡 Problem Statement
The Metrolinx API Access and Use Agreement (§7a) prohibits redistributing Data within your own API or feed. The following endpoints return GTFS-derived data and are currently unprotected:
- `GET /trip-schedule/search/round-trip-kitchener-union`
- `GET /trip-schedule/search`
The controller even includes a comment acknowledging this: `// route doesn't need to be protected because it's public information` — however the ToS does not make an exception for publicly available data; it prohibits redistribution regardless. Any third party can currently call these endpoints directly, which constitutes a data feed.
🎯 Proposed Solution
Apply `AuthGuard` to both trip schedule endpoints so that only authenticated app users can access them. This ensures the data is only accessible as part of the intended user flow, not as a standalone API.
🔄 User Story
As a legal/compliance stakeholder, I want trip schedule data to be accessible only to authenticated users so that the app remains compliant with the Metrolinx API terms of use.
📋 Acceptance Criteria
🔗 Related Issues
Related to Metrolinx API ToS compliance review.
🚀 Feature Description
The trip schedule endpoints currently return Metrolinx GTFS data without requiring authentication, making them effectively a public data feed. This needs to be resolved before going live.
💡 Problem Statement
The Metrolinx API Access and Use Agreement (§7a) prohibits redistributing Data within your own API or feed. The following endpoints return GTFS-derived data and are currently unprotected:
The controller even includes a comment acknowledging this: `// route doesn't need to be protected because it's public information` — however the ToS does not make an exception for publicly available data; it prohibits redistribution regardless. Any third party can currently call these endpoints directly, which constitutes a data feed.
🎯 Proposed Solution
Apply `AuthGuard` to both trip schedule endpoints so that only authenticated app users can access them. This ensures the data is only accessible as part of the intended user flow, not as a standalone API.
🔄 User Story
As a legal/compliance stakeholder, I want trip schedule data to be accessible only to authenticated users so that the app remains compliant with the Metrolinx API terms of use.
📋 Acceptance Criteria
🔗 Related Issues
Related to Metrolinx API ToS compliance review.