Edited the doc to remove the bit about this scenario being unlikely. We take security very seriously and would be happy to get feedback on the new copy (or any other aspect of MagicBell).
I see your point with Intercom, but it feels like you're arguing that two wrongs make a right. It doesn't make me think MagicBell takes security very seriously, but perhaps I'm just paranoid.
Regardless, the copy on the website is improved. You may also want to add a warning and link anywhere your website documents the "userEmail" option.
On another note, in terms of the implementation here, I'm surprised you're asking users to use HMAC and base64 manually, instead of using standardized JWTs. Did anything in particular motivate that decision?
I quite like the product overall - I think it's very clever how you componentized everything. The security decisions just have me concerned.
Hi thrwaway2020aug, indeed we could have made a better choice in that regard. Actually we plan to move to JWT in the coming months.
Be asured that we take security very seriously. We are in conversations with banking platforms, and with that in view, we are planning to get a SOC 2 certification very soon.
