Once the user signs in to metamask, can that signature be used for anything else ? Like can anyone else access that user object and get the signature and use it for evil ? Or is it just a signature for signing in? Isn’t a signature proving that its that account ?
It is only a signature to prove that the user has that account.
Only current user should be able to read its data from db.
Because the signature is readily available in the account object . Is there any way any one can maliciously obtain this ?
Did you mean as well that only a signed in user of that signature can trigger moralis to provide the user account info at runtime ?
So if I switch accounts in metamask, I won’t be able to get that account info of the user of another ethAddress >?
Yes, only current Moralis user can get that signature data, a Moralis user is not same thing as switching an account in MetaMask.
You will have to logout from your Moralis account.