I am working on a React web app with a Firebase back end.
I was thinking about the security implications of accessing and updating the database directly versus accessing and updating the database with the use of back end functions like Firebase Cloud Functions.
Is it possible for malicious users to change the source code of the web app in such a way that they can alter the database queries once the web app has been built for production?
Yes, that is quite possible and quite common. You should not rely on the source code of your app to ensure your business rules.
Instead you'll want to rely on a combination on authentication and authorization to secure your data.
Authentication means that you ask the user to sign in, so that you know who's performing a certain operation. In Firebase you'll want to use Firebase Authentication for that. If you don't want to prompt the user for credentials, you can use anonymous authentication.
Once you know the user, you can ensure that they can only perform operations they are authorized for. You could do this in a custom backend, like Cloud Functions. But I'd always first consider Firebase's built-in security rules. These are evaluated server-side, and provide a fairly simple way to authorize access. Since the syntax depends on which database you use, here are the docs for Firebase Realtime Database and for Cloud Firestore.
Also see:
