I want to identify the actual user operating the POS on my app’s backend (in our case, the person clocking in a staff member for a shift).
• The user in the session token is the person who logged into the POS.
• The session.staffMemberId represents the actual operator.
The issue is that I can’t guarantee the session.staffMemberId hasn’t been tampered with in the request to the backend.
What do you suggest?
Would it be possible to include the session information (such as staffMemberId) inside the signed session token?