hello, I am wanting to use Parse solely as a REST API, so if needed it will be less cumbersome to switch out my networking code interface. I also want to use Sign In with Apple as my primary method of authentication.
when testing signing up/logging in, I noticed that when I retrieve the current user (using the session token), it sends back the authData
field, which contains the JWT and user’s apples user identity.
Is this a security risk? As far as I understand, these are essentially the user’s username/password, as with this information, you can login as a user and create a session. And if it were being sent across the network just once (for example, we cannot get around the fact that username/password login requires us to send the password across the network), I think it would be ok. But getting/refreshing the current user can be done often throughout the lifecycle of an application, which seems like we would be increasing the amount that this sensitive information is sent across the network.
I am not a backend developer so maybe I am misunderstanding about how these things work behind the scene. Is this a security risk? or is there a way we can omit the authData field when retrieving the current user?
thanks