I see the authentication token is in the code, of course, but is this part exposed in javascript aka in the browser?
if that's the case, I wouldn't recommend this approach.
I worked 6½ year in an online gambling company and we knew that client-side information such as authentication tokens is a no-go, even for guest-logins.
You could make a "Session" service and let it produce a session token and then send that to the guest, then each authentication token would be unique + you need a server side way of expiring these tokens too.
I hope and assume you use Firebase for that purpose?
Some comments have been hidden by the post's author - find out more
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I see the authentication token is in the code, of course, but is this part exposed in javascript aka in the browser?
if that's the case, I wouldn't recommend this approach.
I worked 6½ year in an online gambling company and we knew that client-side information such as authentication tokens is a no-go, even for guest-logins.
You could make a "Session" service and let it produce a session token and then send that to the guest, then each authentication token would be unique + you need a server side way of expiring these tokens too.
I hope and assume you use Firebase for that purpose?