Can req.headers['x-appwrite-user-id'] be spoofed?

Let's say that on the client I call a function:

TypeScript

        //INSERT FUNCTION ID HERE
      );```

and then on the server I have this:

export default async ({ req, res, log, error }) => {

if (req.path === "/") { const userId = req.headers['x-appwrite-user-id']; log(userId); } ... }

TypeScript


Is it guaranteed that the userId on the server is the user who triggered the function or can it be spoofed? Does it need to be validated with x-appwrite-user-jwt? I am making it so that only users can execute the function also...

TL;DR

The `x-appwrite-user-id` header can be spoofed if not validated with `x-appwrite-user-jwt`. Always validate the user ID to ensure only authorized users can execute the function.

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support