0

I'm making a chat app using Firebase.

Since I've no Cloud Functions subscription, I'm using a model of 'chat rooms', where if you enter, you can chat with other people.

A chat room in my model will have only two people.

In database, it means only these two users can have access to this chat room.

This is my Firebase rtdb security file

"chat": {
  "$chatroomid": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

This allows only authenticated users to access stuff inside a chat room.

But if you're authenticated and somehow know the chat room id, you can join as a third person.

I want to prevent that.

I know it cannot be done using Firebase features directly. Is there a hack I can apply?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
AvirukBasak
  • 108
  • 3
  • 8
  • One method is to create '$chatroomid' using a concatenation of UIDs of the two users, and have the rtdb rule to check if 'auth.uid' is contained in the '$chatroomid' variable. But I don't know how to make that check. – AvirukBasak Oct 17 '21 at 08:01
  • I'll also need to validate the order in which the UIDs get concatenated. If _ is a seperator and the UIDs are '123' and 'abc', the roomid should be '123_abc' and not the other way around. – AvirukBasak Oct 17 '21 at 08:06

1 Answers1

1

To allow securing access, you'll need to have a place in your database where you store the UIDs that have access to a given room ID. Say that you have this in

"room_members": {
  "chatroom1": {
    "uidOfUser1": true,
    "uidOfUser2": true
  },
  "chatroom2": {
    "uidOfUser2": true,
    "uidOfUser3": true
  }
}

With the above structure, you can secure access to the rooms themselves with:

"chat": {
  "$chatroomid": {
    ".read": "auth != null && 
              root.child('room_members').child(chatroomid).child(auth.uid).exists()",
    ...
  }
}

Also see: Best way to manage Chat channels in Firebase for more on modeling this.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • I could keep a seperate place for UIDs, but that creates the same problem of which users are authorised to write names to 'room_members'. I think the best way is as suggested by you in the link, using a lexical way to generate room id based on user IDs. The issue is, what if someone tries to create the room id by sending a direct server request. This will bypass the checks made in frontend. I need a way to validate the lexically made room id using database rules. – AvirukBasak Oct 17 '21 at 17:00