Building an iOS app and wanted feedback on my auth approach for a leaderboard feature.
I didn't want players to create an account just to get on the leaderboard, so I'm using the CloudKit User ID as their identity. It's unique per app and stable across reinstalls, so returning users are automatically recognised.
The flow is pretty simple — when a user taps "Join Leaderboard" the app sends their CloudKit ID along with a username and country code to a Supabase Edge Function, which creates their profile and returns a JWT for all future requests.
The CloudKit ID is only ever seen by the Edge Function and stored in a private schema, so it's never exposed through any public query.
Is this a reasonable approach for a small app? Happy to hear if there's an obvious gap I'm missing.
The user is developing an iOS app and seeks feedback on an authentication approach for a leaderboard feature. They use CloudKit User ID for identity, sending it with a username and country code to a Supabase Edge Function, which creates a profile and returns a JWT. The user is concerned about verifying the authenticity of the CloudKit ID without complicating the flow, especially given the low security stakes of the leaderboard.
Interesting lightweight approach for avoiding signup friction. My main question would be around trust boundaries: how are you verifying that the CloudKit user ID actually belongs to the caller, instead of just trusting a client-sent identifier? The overall flow sounds clean, but identity schemes like this usually get tested at the verification layer more than the storage layer.
That is a good question. This is a risk I am not sure how to solve without making the flow complex because apple provides Device Attestation i.e. proving that a request came from a real, untampered app on a real, untampered iOS device. But I am wondering if its worth it because security is not very important because at the end it's just exercise points and its anonymous i.e. based on username so nothing for bad actors to gain other than getting on top of leaderboard or creating new fake accounts I guess.
Device Attestation seems quite complex to implement at this stage where i only have 50 daily users of my app. Would love to know if there's a simple way to at least not let people abuse the api if they find out?