stackoom
  简体   繁体   中英

Firebase Sending Request to Server from Client Safe Using Socket.IO?

 原文  2020-05-25 00:15:16       node.js/ firebase/ heroku/ firebase-realtime-database/ firebase-authentication

Question

I understand that security rules are the safest way to protect data however it doesn't support my method in storing user data when they click on specific elements. This is because if I turn write == true they are able to change the database willingly which I don't want them to do; I just want to record their input from my website privately.

Hence, my solution was to create another database on the server. Initialise the firebase realtime database on the server.js file. I thought this would be ideal, as the client doesn't access to any of the credentials (And yes I know, even if the user does have it, it's not that bad anyway but just in case).

So if I were to use socket.io to request from the client (all they see is "socket.emit('value', 'value')) then wouldn't it be safe as they are not seeing anything related to the firebase database as it is all on the server (which is not shown to the user)?

I just want clarification on if this is safe and ideal because it seems to logically work if I were to neglect the security rules.

Apologise to the previous users that replied on my previous post, this may be very similar but I have elaborated a little bit more to make what I am doing a bit more clearer.

Thanks for all your help.

Client Code: 

 var a = 0; socket.emit('value', a);

Server Code: 

 firebase.initializeApp({ apiKey: VALUE, authDomain: VALUE, databaseURL: VALUE, projectId: VALUE, storageBucket: VALUE, messagingSenderId: VALUE, appId: VALUE, measurementId: VALUE }); socket.on('value', function(data) { var ref = firebase.database().ref('node'); ref.set(data); })

1 answers

solution1
 1  2020-05-25 01:19:53

The code you shared indeed seems (unlike your first question ) to no longer expose identity of your Firebase project to the caller. So there is no way for the caller to determine the database URL from what you shared.

Whether this is secure enough for your needs, only you can determine. But a few things to keep in mind:

  • If a user can find the database URL through another means, your ".read": true, ".write": true rules still allow them to both read all data, and write whatever they want.
  • Your code allows writing anything the user wants to the database. You'll want to lock that down either in your code, or with Firebase's server-side security rules.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Socket.io not sending data from client to server Sending array from server to client with socket.io Sending data from express server to react-native client using socket.io How to insert data from client to server using socket.io? socket.io not sending to client Connecting client to server using Socket.io connect client to server using socket.io Socket.io not emitting from Client to Server Using Socket.IO in server side with socket.io-client Socket.io with client on Firebase Hosting and Server on Heroku
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM