1

I intend to use Firebase Queue to push tasks for registering a user using his/her mobile number like Whatsapp for a mobile application. I am using a third party service to verify a user's mobile number. The verification process is a two step process

  1. Send the user's mobile number to the third party service which returns back a request_id and sends a code to the user's mobile via SMS
  2. Send the request_id and code entered by the user and verify it

This is like the first thing that I would do when the user open the mobile app for the first time after installing. Since the user is not even registered yet, there is no auth data for the user.

I want to ask what kind of security rules can I add to the firebase queues so that no outsider can add/remove tasks to the firebase queues.

I can also expose APIs on the server directly which the mobile app can use to perform the above verification but I am thinking that if there is a way to add some security rules to the firebase queues for such a scenario case also, then I would rather have the mobile app talk to only firebase.

I have created the following sample code 1.Queue worker 2.Client

Currently, anyone who knows my app location can add a task to the queue. Since, the user has not been authenticated yet, I cannot add any auth specific security rules to firebase. I was thinking of shipping the mobile app with an application secret and have something like this for the security rule for the firebase queue

{
  "rules": {
  "queue": {
  "tasks": {
    ".write": "newData.appSecret === <appSecret>"
  }
}

Here <appSecret> is what is shipped with the mobile app and each new task also contains the appSecret in it. Now, only clients who know the appSecret can add tasks to the firebase queue.

Varun Gupta
  • 2,870
  • 6
  • 33
  • 73
  • Did you try anything yet? Instead of (or in addition to) describing what you want, it's more useful if you show what you've tried already and show where it fails (or where you doubt the approach). It allows us to see what you're trying in a less ambiguous manner (code beats text for that) and where may have obvious gaps in your logic. – Frank van Puffelen Apr 05 '16 at 15:49
  • @FrankvanPuffelen I have updated the question with what I have tried and have in mind for the security rules – Varun Gupta Apr 05 '16 at 17:56
  • Firebase-queue has a section titled [Pushing tasks into the queue](https://github.com/firebase/firebase-queue#pushing-tasks-onto-the-queue) that demonstrates how to add a new item to the queue. – Kato Apr 05 '16 at 18:10
  • @Kato My question is not about how to add tasks to the queue. My question concerns with the security rules that I should add to the firebase queue since the client will be adding these tasks before the user has been authenticated. – Varun Gupta Apr 05 '16 at 19:20
  • You can't authenticate users without authenticating them first. Still unclear what you mean here. – Kato Apr 05 '16 at 19:44
  • @Kato The task that I want to add to the firebase is queue is to authenticate the user. I understand that it may not be meant for such use case. I appreciate your responses. Thanks! – Varun Gupta Apr 06 '16 at 01:58
  • 1
    So, my guess is that you should a) do this via a REST call or b) just allow anyone to write to the queue (see [this](http://stackoverflow.com/questions/18005984/how-to-prevent-other-access-to-my-firebase) and [this](http://stackoverflow.com/questions/18890330/how-to-make-sure-only-my-own-website-clientside-code-can-talk-to-firebase-back/18897630#18897630) for more on restricting access by client). Probably the latter because it's simple. The trick is throttling requests to prevent rainbow attacks. The REST call is nice because you can capture the referer IP. – Kato Apr 06 '16 at 18:00

0 Answers0