Moralis cloud function only returns for web3 authenticated user

I am thinking that when I call Moralis.Cloud.run(“function”, wallet address, input), it will run the “function” on my Moralis Cloud server code. But when attacker try to bypass the authentication, steal my ServerURL and AppID, don’t they also can call my function with any wallet address (pretend to be someone else) with any input?

Did I miss anything? Or is there anyway to only react to the Moralis.Cloud.run with authenticated user only?

Anyone with the serverurl and AppId can call the cloud function and you can add some extra validations in the cloud code to prevent non-authenticated users, by checking who requested the cloud function call.

https://docs.moralis.io/moralis-dapp/cloud-code/cloud-functions#advanced-cloud-function-validation

Also read this about the visibility of your serverUrl and appId and what you can do to lock down your server.