4

My application uses AngularJS + Firebase authentication using google. As user signs up into the application it creates an entry of that user in database as shown below:

user
  ->Firebase Unique Key
           -> UserId: "google ID"
           -> User Name: "User Name"
           -> Payment Status:"No"

Now once user logins user will see payment option and once payment has been done database value for that particular ID will get populated against "Payment Status" as shown in JSON above. Once payment status is yes then only user is allowed to view the main page.

I have created security rules as shown below:

{
"rules": {
    ".read": "true",

  "user":{
    ".write": "auth.provider == 'google' && auth.uid!=null"

  }
}}

Now the question is: Any user who can login using google has access to write to this database. So once user is authorized user can make changes in the database. Also user can run his own code from localhost and can make changes to the database.I don't want any user to hack data and mark payment status as "Yes" and proceed to main website.

How to make sure that authorized user wont perform any malicious activity in this database.

Lani
  • 178
  • 1
  • 2
  • 9

1 Answers1

3

Firebase uses an identity based security model: you secure access to the data based on the identity of the user. Once you authorize a user to write a specific property, they can write that property.

In your use-case, it seems like a bad idea to allow the user to change their payment status. So they should not have write access to that property, no matter if they're running your app or code of their own.

So you'll have to have another entity set that field. This can either be a human administrator or a server.

Having a human interaction is not as uncommon as you may think. Many web services start by having the owner check the payments and update the protected metadata (the payment status in your scenario). Once this becomes unmanageable, you're probably ready for the other option.

A server can run under trusted credentials, perform the necessary checks and then set the user's payment status. Note that this doesn't have to be a very beefy server, since all it does is interact with the Firebase Database. See this article for a good explanation.

Community
  • 1
  • 1
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks Frank for the response. But is there any way in firebase to prevent users from running the same copy of code in their localhost. As they have access to the database then they can surely perform any malicious activity through referring the firebase URL from their own localhost. I tried to remove localhost from authorized domain but in firebase by default authorized domains include: localhost – Lani Apr 04 '16 at 04:29
  • "is there any way in firebase to prevent users from running the same copy of code in their localhost" No. If that is your question, I'll mark as a duplicate. But think about it for a moment: if the user is running a copy of your code, and is sticking to the security rules that you've set up, what malicious usage can they do? – Frank van Puffelen Apr 04 '16 at 14:33
  • 1
    They can flood up the database by storing some malicious scripts. As per your answer given above this could only be stopped if i use server . But in case i just use client side language and firebase then in that case they can store anything in the database as they have access to that database. – Lani Apr 04 '16 at 17:18
  • "is there any way in firebase to prevent users from running the same copy of code in their localhost" Yes. https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification – Roddy R Nov 03 '21 at 00:21