If the client is using Login and you have a user token client side
- Send the secret via authorization header
- get the secret from the header in the function
- create your
new Clientfrom the secret
If the secret is valid, all you technically need is to run client.query(true). If the promise resolves, then the token is valid. KeyFromSecret is unnecessary since the secret is valid by definition if the client works.
Of course if you want to do more to check if the particular user has the right credentials, then a more detailed query would be needed.
Netlify functions are all HTTPS, so it is relatively safe. The vulnerability more likely will be in how the secret is stored client side.
Side notes:
If you create tokens manually, i.e. with Create(Tokens(), ...) then you can add additional data, which could be retrieved from KeyFromSecret. But you would need to add a new login function to Netlify specifically for that.
This may be an interesting topic to you: