Users can access their items via API. Authentication via API token. No public access to items.

lib/generic_rest_server_web/router.ex

@@ -17,16 +17,28 @@ defmodule GenericRestServerWeb.Router do
     plug :accepts, ["json"]
   end
 
+  pipeline :protected_api do
+    plug :accepts, ["json"]
+    plug :fetch_current_scope_for_api_user
+  end
+
   scope "/", GenericRestServerWeb do
     pipe_through :browser
 
     get "/", PageController, :home
   end
 
-  # Other scopes may use custom stacks.
+  # public API
   scope "/api", GenericRestServerWeb do
     pipe_through :api
 
+    post "/log_in", UserTokenController, :log_in
+  end
+
+  # protected API
+  scope "/api", GenericRestServerWeb do
+    pipe_through :protected_api
+
     resources "/items", ItemController, except: [:new, :edit]
   end