m41w4r3exe
commented
4 years ago I think that user string is unique so it can not exist in any other app's scope, if I am understanding you correctly.
To my knowledge, this package's verifyUser function is safe and secure verification if the user is valid.
This program can verify if the identityToken is valid with clientUser. But it didn't verify if the clientUser is from the app I wish to verify (Service ID, Team ID) Meaning any apps can verify and return true in this program..