[BUG] POST /api/cell/<id>/tags allows unauthenticated tag modification

[aabhinavvvvvvv]

Describe the Bug

POST /api/cell/<id>/tags has no authentication check. Any unauthenticated request can add or remove tags from any user's cell without being logged in.

• What happened? Sending a POST request to /api/cell/<id>/tags with no Authorization header successfully modifies the cell's tags.
• What was expected? The endpoint should return 401 Unauthorized immediately if no valid token is provided.

To Reproduce

1. Start the server
2. Run the following curl command (no token, no login):

curl -X POST http://localhost:3000/api/cell/11/tags \
  -H "Content-Type: application/json" \
  -d '{"tag_ids":[]}'

3. Observe that the tags are modified — no authentication required.

Expected Behavior

The endpoint should return 401 Unauthorized for any request missing a valid Authorization: Bearer <token> header.

Screenshots

{"message": "Tags assigned successfully", "tags": []}

bug2.1.mp4

Response above is returned with no auth token. Anyone can modify tags on any cell without credentials.

Environment

• OS: WIndows
• Affected file: backend/api/resources/cell_tags.py

Additional Context

This is a security issue — any unauthenticated user can wipe or reassign tags on any cell belonging to any user. Other endpoints like PUT /api/cell/<id> and DELETE /api/cell/<id> correctly use the @authenticate decorator. The tag assignment handler is missing it.

If this issue looks legit, then i would like to work on this

[aabhinavvvvvvv]

@jmadden173 @aleclevy if this issue looks legit then I would like to work on it