Security implications of auth.setAuth
Context: I am toying with a role-based authorization system. The authorization works as a database function that calls auth.uid to get current user and look at all the permissions their role grants.
Now the problem: the database function can be called with rpc from my backend but since I don't want to expose users permissions to anyone calling, the function uses auth.uid to only return the caller their permissions. Of course if I am calling it from server-side I don't have a user and the function returns no permissions.
I can use auth.setAuth to set the caller as the user calling my API based on cookies. Are there security implications with this? For example could repeated calls be used to gain access as a different user than your are.
Now the problem: the database function can be called with rpc from my backend but since I don't want to expose users permissions to anyone calling, the function uses auth.uid to only return the caller their permissions. Of course if I am calling it from server-side I don't have a user and the function returns no permissions.
I can use auth.setAuth to set the caller as the user calling my API based on cookies. Are there security implications with this? For example could repeated calls be used to gain access as a different user than your are.
