It was a bit difficult to add authentication along side ownership check. I am not entirely sure if my implementation is entirely secure. Otherwise, I believed the actual authencation without ownership was rather simple for the back end.
It was rather difficult trying to figure out cookies and having something render conditionally based on cookie. I was getting a lot of conflicting information, some that didn't work and some that did work.
There were a lot of struggles setting up the dependencies needed to set up the server. And I had issues where the complied front end javascript was not being detected by the server despite being physically present in the directory. I still don't really have a clue what was the caused, but it was fixed by wiping the repo completely and recloning it.
I had no issue with XSS by having HttpOnly on the token used by the server. I also have CSP header set to prevent scripts from being ran.
I had had protection against CSRF attacks by having SameSite=Lax property on all the cookie I used.
I set my rate limit through express rate limiter and I used helmet to set HTTP CSP header.