node.js - ExpressJS prevent my app from being hacked -

i writing app give user1's money user2, if user1 agrees user2 completed task successfully.

i have several ideas on how go this, worried security. not understanding subject as should , hoping advice.

one method listen if user1 happy user2's job completion.

example express code saving data firebase db:

app.post('/general/something', function(serverreq, serverres) {     var data = serverreq.body;      var ref = db.ref("stuff/"+data.useroneid).update({         ishappy: true     });     serverres.send("posted");  }); 

then check if user happy in db , send user2 user1's money.

however, seems if (especially user2) post data (user1's id) server @ "/general/something" , receive userone's money.

we can assume user2 knows user1's firebase userid. because need users able reference each other , userid way i've found firebase (without giving other user's email address out).

what best way of completing task?

thanks @elanhamburger able fix problem using tokens firebase (https://firebase.google.com/docs/auth/admin/verify-id-tokens).