0

I understand that security rules are the safest way to protect data however it doesn't support my method in storing user data when they click on specific elements. This is because if I turn write == true they are able to change the database willingly which I don't want them to do; I just want to record their input from my website privately.

Hence, my solution was to create another database on the server. Initialise the firebase realtime database on the server.js file. I thought this would be ideal, as the client doesn't access to any of the credentials (And yes I know, even if the user does have it, it's not that bad anyway but just in case).

So if I were to use socket.io to request from the client (all they see is "socket.emit('value', 'value')) then wouldn't it be safe as they are not seeing anything related to the firebase database as it is all on the server (which is not shown to the user)?

I just want clarification on if this is safe and ideal because it seems to logically work if I were to neglect the security rules.

Apologise to the previous users that replied on my previous post, this may be very similar but I have elaborated a little bit more to make what I am doing a bit more clearer.

Thanks for all your help.

Client Code:

var a = 0;

socket.emit('value', a);

Server Code:

firebase.initializeApp({
        apiKey: VALUE,
        authDomain: VALUE,
        databaseURL: VALUE,
        projectId: VALUE,
        storageBucket: VALUE,
        messagingSenderId: VALUE,
        appId: VALUE,
        measurementId: VALUE
});

socket.on('value', function(data) {
  var ref = firebase.database().ref('node');
  ref.set(data);
})
KneeHowMa
  • 19
  • 5
  • I'm not clear. So you're saying you only want a client to read some values from the database but not write? – Doug Stevenson May 25 '20 at 00:20
  • Keep in mind that the firebase is read and write true. So when a user clicks a button, it sends a request using socket to the server (were the firebase init has been created) to interact with the database. Hence, i'm assuming the user can't alter the firebase database because it is all on the server? Therefore, it would be okay to allow read and write to be true? Hopefully this made a bit of sense, i'm doing something very weird but plausible. – KneeHowMa May 25 '20 at 00:28
  • If your security rules to allow read and write, then anyone can modify the data. The fact that*you* only do so from your server, doesn't mean that others can't do it from wherever they want. If you don't write from the client however, the client might not know the database URL, which gives you a form of security-through-obscurity. But it's impossible to say anything definitive without seeing how you implement this. – Frank van Puffelen May 25 '20 at 00:32
  • But how can they access the database if they have no information on it (all data hidden on the server)? Anyone can read and write, true, but they don't know the database url, apikey, nothing. The only way they could alter the database could be through signing into my firebase account which is difficult. Am I missing another method of client users accessing my firebase database? Sorry for any confusion. – KneeHowMa May 25 '20 at 00:36
  • 1
    At this point we'd need to see a minimal implementation to say more. – Frank van Puffelen May 25 '20 at 00:39
  • I have added an example of what I mean above. Firebase database information is all on the server, and changes to the firebase database '/node' is also on the server. Hence, can the client user actually do anything to alter the database if everything is hidden? – KneeHowMa May 25 '20 at 00:48
  • This code indeed seems (unlike your first [question](https://stackoverflow.com/questions/61980724/firebase-auth-are-my-variables-secure-safe)) to no longer expose identity of your Firebase project to the caller. So there is no way for the caller to determine the database URL from what you shared. – Frank van Puffelen May 25 '20 at 01:16

1 Answers1

1

The code you shared indeed seems (unlike your first question) to no longer expose identity of your Firebase project to the caller. So there is no way for the caller to determine the database URL from what you shared.

Whether this is secure enough for your needs, only you can determine. But a few things to keep in mind:

  • If a user can find the database URL through another means, your ".read": true, ".write": true rules still allow them to both read all data, and write whatever they want.
  • Your code allows writing anything the user wants to the database. You'll want to lock that down either in your code, or with Firebase's server-side security rules.
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • So ultimately if I keep my project URL of my firebase project secure/hidden then no one is able to muck around with it? If it isn't much trouble could you please elaborate on the second dot point to please. Could you provide an example of locking it down in my code? Thank you so much, this has been very helpful! :D Also, could it be possible for client users to alter the database using the socket.io commands in the console on their browser or is that not allowed? – KneeHowMa May 25 '20 at 01:26
  • I'm struggling to find methods in authenticating user access through the code. Are there any tips? – KneeHowMa May 25 '20 at 08:36
  • Wouldn't it also be secure enough that i'm using heroku's environmental variables? My credentials aren't on the server exactly, it is being extracted from heroku's website that stores the variables. So technically, it is pretty secure right? – KneeHowMa May 25 '20 at 12:27