0👍
Make sure that you have the id in the access token or the session.
Now every time a url is entered, see if the id is the same of the user, if yes, proceed. But, in case, it does not belong to the user, you can either redirect the user to the valid page or show unauthorized message.
Source:stackexchange.com