Back
I am sooo lost..
I have so many questions so even if you answer 1 of them it would be amazing. First of all, I'm using next.js. I have a sign in with google button to login.
- Is the providerAccessToken something that should be kept private (aka server-sided)?
- Can I access a users providerAccessToken or their session by their userid from the backend?
- How can I verify that the user is actually the user that made the request in my backend?
- I want to assign some groups to the user so they will have access to group1 and group2 for example. Do I need to create a new database for that? If yes, in what format. would (userid, groups) be enough?
I had more questions but I don't remember them now. I'll create another topic If I remember.
Extra notes: I don't want to update my database directly from client to appwrite since I want to verify/edit some data before updating the database.
TL;DR
1) Yes, the providerAccessToken should be kept private on the server-side.
2) You can access a user's providerAccessToken and session from the backend using their userID.
3) To verify the user's identity in the backend, use the userID or a secure token sent from the client.
4) You may need a new database to assign groups to users, a format like (userID, groups) could be sufficient.
Extra: To avoid updating the database directly from the client, verify and edit data before updating using appwrite.