Some of the routes you are using are not REST compliant. Remember, REST stands for Representational State Transfer; if you have static routes like /challenges/current, current isn't exactly a state: it's a property.
So, what should be a better naming convention here?
You need to change it. Use a generic route scheme:
GET /challenges - Get all the challenges; GET /challenges/:id - Get a specific challenge by an ID. Then, to get the currently open or active challenges, you can add a query filter:
GET /challenges?filter=active or GET /challenges?filter=open
This way, you have a much cleaner route table. In general, you should always remember that whatever you can not do by the HTTP verbs should be put either in the headers or in the query parameters.
I am using JWT for managing sessions.
Excellent.
With JWT, you can do something called scoped authentication which means that a specific JW Token can access only a specific list of resources. Usually, you encode this in the body of the token with content something like:
scopes: [ 'USER:GET', 'USER:MODIFY' ]
Then, in the routes, you can make sure that the required scope exists; if it doesn't, give a 403 error.
To make sure that the user can only change his/her profile, you can add:
scopes: [ 'USER:MODIFY-SELF' ]
Of course, this is a very simple scheme and you can get all fancy with it but this is a good starting point.
I hope this made everything clear! If you are still stuck, drop a comment and I will be more than happy to help you! :)