I’m building a headless e-commerce app that will integrate with MongoDB Realm which will be used for the primary user management.
I have all users log in via MongoDB Realm and automatically create the corresponding user in the e-commerce platform when they register on the site. So far so good.
When I want to fetch address data for the customer, however, I have to use an admin API for the e-commerce platform (don’t ask me why, but you can’t get that data using frontend available APIs). This is where the problem begins.
Since this is sensitive data I need to ensure the user is logged in before they’re able to access the data, and they should only be able to access their own data. My idea was to pass the access token, or something similar, to our custom API and verify the token, preferably even decode it to get the customer email (used to query the e-commerce system) from there and nothing else from the request.
I’ve built this functionality with Firebase in the past and they have a super simple functionality to verify a user ID token. I had hoped for something similar for Realm, but haven’t been able to find anything.
What’s the best way to achieve this in Realm?