Hello everyone! I'm curious about how you manage User IDs in client-server communication. Here are the specific conditions: • User Identification and Logging: The server uses User IDs to identify users and logs their actions. • Third-Party User Management: User management is handled by a third-party service (e.g., Firebase, Supabase), with a direct database access URL. • User ID Ownership: The User ID belongs to the logged-in user (device). • Client-Side Usage: The User ID is not used on the client-side. • Frequent Logging: Logs are generated approximately once every 2-3 seconds. • JWT Usage: JWTs can be used by the server to identify users. I've considered the following approaches: Case 1: Storing User ID in Client-Side Memory • Communication: HTTPS is used for communication, and the User ID is sent in the body of the request, not exposed in the URL. • JWT and User ID: A JWT is included in the header, and the User ID is sent in the body if needed. • Concerns: Are there any security risks or other issues with temporarily storing the User ID on the client and sending it in API calls? Case 2: Using Only JWT for API Calls • Communication: A JWT is included in the header, and the User ID is not stored on the client. • Server-Side Lookup: The server accesses the third-party database to find the User ID. • Concerns: Is the latency introduced by accessing the third-party database significant? When using JWTs for user identification on the server, it requires accessing the third-party database, which might introduce a slight delay. Thank you guys and have a wonderful day 😛

how would you guarantee that user id is the same as the one implied by authentication?

my server shares users with third-party auth server, and uses JWT created by them

from client

JWT and store ussr id in json body. Send it using header

thx Nestor. and Jakub, I have never used user id for authenticating users from client, think I am inexperienced at this field. instead I used refresh token stored on client devices for (re)authenticating users. and I think that if I authenticate users with their ids, it could be unsafe. what if someone steals and use others' ids and act like the hackers are them? can you tell me how I could authenticate users if you have time to respond. thank you :)

You can never trust a user id sent by the client. You always need to verify the bearer of the JWT is authorized to access the user id. In the simplest scenario, users are only capable of accessing themselves, and so you verify the JWT and extract the user id from it. There would be no need to include the user id in the body. In a more complex scenario where other users can access other user data in certain scenarios, you need the caller's ACL to verify they have the rights to access the given user. Ideally the ACL would be in the JWT, but failing that, you will need to look it up.

Thank you guys :)) I will discuss about this with my team with your opinions. thanks a lot and take this cute cat