1

I build an event registration app which add all the participants in the a real time database.

The Database:

Database

To secure my app I have used the security rules which only allow pushing data to the "participants", I use JSON in order to create the register process.

Security Rules

I want to return some feedback to the client if she/he enter an email that has already been registered.
Can I do it without open a reading option on the "participants"?

LopDev
  • 823
  • 10
  • 26
Aviv Liberman
  • 19
  • 5
  • Very nice question. Maybe one approach is to keep a public list of all registered participant's hashed emails and compare user's entered value against those hashes. – Ivanka Todorova Sep 30 '20 at 13:09
  • 1
    And then giving reading only to that list? @IvankaTodorova – Aviv Liberman Sep 30 '20 at 13:11
  • Yes, this way you're not exposing your user emails database and have the way to present message to their users if an email already exists. – Ivanka Todorova Sep 30 '20 at 13:15
  • You know of any guide how to hash lists in real time database? @IvankaTodorova – Aviv Liberman Sep 30 '20 at 13:17
  • 1
    @AvivLiberman Hashing emails with `MD5`/`SHA1` with a salt (that you keep as env variable in firebase) might be sufficient. Also you can take a look at [this](https://security.stackexchange.com/a/202025/172840) & [this](https://stackoverflow.com/questions/26108341/firebase-security-rule-and-check-for-unique-records?rq=1). – Ivanka Todorova Sep 30 '20 at 13:31

0 Answers0