Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you prevent client side console hacks on firebase web apps?

Tags:

firebase

It dawned on me that with so much client side logic, malicious users can spoof, override or game firebase apps by using the console in any browser.

For instance, I can enter $(".flag").click() and with three strokes flag every post out of existence on my app.

Any defensive logic I write will all be available to anyone who wants to crack it.

How have you dealt with this? Is there a work around?

like image 401
Itumac Avatar asked Oct 08 '13 02:10

Itumac


People also ask

Can a firebase app be hacked?

Short Answer : Yes, But it will be hard than a website.

Is firebase good for websites?

Firebase is a fully managed backend service that gives you best-in-class infrastructure for your web apps, handling everything from user authentication and server scaling, right through to crash analytics and a reliable testing environment.

Is firebase good for production?

Firebase is fantastic if you want to create something out of nothing in a flash, making it great for rapid prototyping. If you've got the general gist of what you want to do and need a fully configured backend you can connect to, then Firebase can be your go-to service.


2 Answers

In reality, Firebase is no different than any other server process with regards to security. Anybody can open the JavaScript console on any site (or write their own HTML page, or run curl from the command line) to try to manipulate data.

Firebase moderates clients using straightforward but surprisingly powerful security rules. Couple those with an authentication schema, and you can restrict access to, and validate any incoming data with minimal fuss.

{
   "rules": {
       // widgetName must be a string
       "widgetName: { ".validate": "newData.isString()" },

       // user accounts can only be read by the authenticated client
       "users": {
           "$user_id": {
               ".read": "$user_id === auth.id"
           }
       }
   }
}
like image 176
Kato Avatar answered Oct 21 '22 05:10

Kato


Firebase rules is really a new web building approach. You can build any kind of web app using thoses rules. I'll not put rules code here but I'll explain what I mean. For example. You want to build a learning app. using rules you can create two or three roles for users. Then for each content you can put a field(array for example) and check for each request if the requester user after authentication have the role to access some content. I think all CMS are working by this way right now.

Hope this will give more ideas on Firebase platform.

like image 33
Martin Jovial Avatar answered Oct 21 '22 04:10

Martin Jovial