How do you prevent client side console hacks on firebase web apps?

Question

It dawned on me that with so much client side logic, malicious users can spoof, override or game firebase apps by using the console in any browser.

For instance, I can enter $(".flag").click() and with three strokes flag every post out of existence on my app.

Any defensive logic I write will all be available to anyone who wants to crack it.

How have you dealt with this? Is there a work around?

Answer 1

In reality, Firebase is no different than any other server process with regards to security. Anybody can open the JavaScript console on any site (or write their own HTML page, or run curl from the command line) to try to manipulate data.

Firebase moderates clients using straightforward but surprisingly powerful security rules. Couple those with an authentication schema, and you can restrict access to, and validate any incoming data with minimal fuss.

{
   "rules": {
       // widgetName must be a string
       "widgetName: { ".validate": "newData.isString()" },

       // user accounts can only be read by the authenticated client
       "users": {
           "$user_id": {
               ".read": "$user_id === auth.id"
           }
       }
   }
}

Answer 2

Firebase rules is really a new web building approach. You can build any kind of web app using thoses rules. I'll not put rules code here but I'll explain what I mean. For example. You want to build a learning app. using rules you can create two or three roles for users. Then for each content you can put a field(array for example) and check for each request if the requester user after authentication have the role to access some content. I think all CMS are working by this way right now.

Hope this will give more ideas on Firebase platform.