Firebase - Join chat with password securely

Question

How to check if user enters correct password to join a chat.

This approach is propably compeletely improper. This piece of code is just to show what I want to accomplish but it isn't working at all.

val ref = FirebaseDatabase.getInstance().getReference("chats")  

ref.child(chatName).child("password").equalTo(password).addListenerForSingleValueEvent(   
    override fun onDataChange(snapshot: DataSnapshot) {
        Log.d(TAG, snapshot.toString())
        // if there is data the password was right
    }
    ....
)

How can this whole join chat with password system be done securely? What kind of rules do I have to set to the database.

Is it possible to alter firebase queries with rooted phone and see the data that is transferred between client and the server?

Answer 1

If you'd like to secure each chat room with a password, one option is to embed that password into the path of the chat room. So for example:

chats: {
  roomId1: {
    secret: {
      chat11: ...
      chat12: ...
    }
  }
  roomId2: {
    correcthorsebatterystaple: {
      chat21: ...
      chat22: ...
    }
  }

Secure this structure with the following rules:

{
  "rules": {
    ".read": false,
    "chats": {
      "$roomId": {
        "$password: {
          ".read": true
        }
      }
    }
  }
}

With this structure, nobody can read the list of rooms, or even a specific room. To be able to read they must know both the room Id and the password for that room.