I am developing a hobby project using Firebase and some Node.JS running on Google App Engine as backend. I am a real newbie in this area, and also just hear about Firebase a month ago.
My question relates to how various "things" can be secured from user actions, even though Firebase is running as JS on client-side.
I am aware that the DB and Storage can be secured using logical rules - that is in place.
My question rather concerns the actions an user can perform with firebase.auth() and similar, such as:
- firebase.auth().createUserWithEmailAndPassword()
- firebase.auth().currentUser.delete()
- firebase.auth().currentUser.link()
As I have understood it from the question linked below, there is no solution - user will always be able to call these functions, and it is considered low-risk since they cannot touch other user accounts. "prevent firebase user from deleting himself"
My concern with not being able to block users from these actions is that I cannot perform the relevant changes to the DB. For some basic use cases I assume it is easy to set up a nightly batch-job to clean up, but I am afraid of future more complex issues.
My current solution for making atomic actions, e.g. delete user account and delete user data in DB, is to send a request to my back-end Node.JS server. That works fine, but a user could, as I understand, by pass this and request e.g. currentUser.delete() by himself/herself. Another case is when a user unlinks a google account. I would like the user to be logged out by, but with the premises the user can unlink with the follow up action.
Question: Have I misunderstood anything? Can this be easily prevented, or is it so that all the available actions are consider harmless and it is up to me to perform clever clean-up etc.? If it cannot be prevented, do you have any more suggestions more clever than nightly batch jobs?
