Accepting authorId from the request body allowed any authenticated user to create comments impersonating another user. The author is now always the authenticated user from req.payload.