It dawned on me that with so much client side logic, malicious users can spoof, override or game firebase apps by using the console in any browser.
For instance, I can enter $(".flag").click() and with three strokes flag every post out of existence on my app.
Any defensive logic I write will all be available to anyone who wants to crack it.
How have you dealt with this? Is there a work around?
Short Answer : Yes, But it will be hard than a website.
Firebase is a fully managed backend service that gives you best-in-class infrastructure for your web apps, handling everything from user authentication and server scaling, right through to crash analytics and a reliable testing environment.
Firebase is fantastic if you want to create something out of nothing in a flash, making it great for rapid prototyping. If you've got the general gist of what you want to do and need a fully configured backend you can connect to, then Firebase can be your go-to service.
In reality, Firebase is no different than any other server process with regards to security. Anybody can open the JavaScript console on any site (or write their own HTML page, or run curl from the command line) to try to manipulate data.
Firebase moderates clients using straightforward but surprisingly powerful security rules. Couple those with an authentication schema, and you can restrict access to, and validate any incoming data with minimal fuss.
{
"rules": {
// widgetName must be a string
"widgetName: { ".validate": "newData.isString()" },
// user accounts can only be read by the authenticated client
"users": {
"$user_id": {
".read": "$user_id === auth.id"
}
}
}
}
Firebase rules is really a new web building approach. You can build any kind of web app using thoses rules. I'll not put rules code here but I'll explain what I mean. For example. You want to build a learning app. using rules you can create two or three roles for users. Then for each content you can put a field(array for example) and check for each request if the requester user after authentication have the role to access some content. I think all CMS are working by this way right now.
Hope this will give more ideas on Firebase platform.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With