Back
How can I prevent a user calling a function on behalf of another user?
What i'm doing is the following. Users can add other users as friends. For this, I have a friends collection (user1, user2, pending). The user calls this function and passes his own userid and a unique friends code as json to the function. What im wondering is, what stops another user from adding users for other users if he stole their userid?
The function is executable by logged in users only, but how could I check that the person who called the function, is the person he/she pretends to be with the provided userId in the json payload?
TL;DR
The user is asking how they can prevent a user from calling a function on behalf of another user. They have a friends collection where users can add other users as friends. They pass their own user ID and a unique friend code in a JSON payload to the function. The concern is that another user could potentially add friends for someone else if they have stolen their user ID. The function is only executable by logged-in users. The user is asking for a way to verify that the person calling the function is the rightful owner of the provided user ID. Is there a way to grab the user id backend side?
Yep! Refer to https://appwrite.io/docs/functions#functionVariables
