stackoom
  简体   繁体   中英

How to secure Flutter + Firebase app without forcing users to register?

 原文  2022-05-09 12:38:25       firebase/ flutter/ security

Question

I need to create a Flutter app which will be used in schools. The rough idea is that a parent can see certain data about their kid by entering their own Personal ID and the kid's Personal ID. In the database I would have one table with kids, one with parents, and one which will connect parent_id to child_id. The last table will serve as a mechanism to check which parent can access the data for which child.

In our country a personal ID is a highly sensitive piece of data and if I'm going to store it anywhere, I need a good security solution. Can someone recommend the best practice to implement security both on Flutter side and on Firebase side?

I don't want to make my users register and login if that's not absolutely necessarry, I would prefer to keep the app simple, with two fields and one button only.

Edit: Of course, I could use another type of ID and that would reduce the risk of sensitive data leakage, but that would force users to remember one more useless array of numbers.

1 answers

solution1
 1  2022-05-09 13:18:11

Here's a list of helpful function to help make Firestore security rules easier to write up:

// MARK - Funcs --------------------------------------------------------

function currentUser() {
    return request.auth;
}

function isEmailVerified() {
    return request.auth.token.email_verified;
}

function isLoggedIn() {
  return currentUser() != null;
}

function isCurrentUser(userID) {
  return isLoggedIn() && currentUser().uid == userID;
}

function currentUserRef() {
    return /databases/$(database)/documents/users/$(currentUser().uid);
}

function userRef(userID) {
    return /databases/$(database)/documents/users/$(userID);
}

function existingDataID() {
    return resource.id;
}

function existingData() {
    return resource.data;
}

function incomingDataID() {
    return request.resource.id;
}

function incomingData() {
    return request.resource.data;
}

    function isChanged(property) {
  return incomingData()[property] != existingData()[property];
}

    function isNull(property) {
    return incomingData()[property] == null;
    }

    function isNotNull(property) {
    return incomingData()[property] != null;
    }

function isList(property) {
  return incomingData()[property] is list;
}

function isString(property) {
  return incomingData()[property] is string;
}

function isNumber(property) {
  return incomingData()[property] is number;
}

function isBool(property) {
  return incomingData()[property] is bool;
}

function isMap(property) {
  return incomingData()[property] is map;
}

function isTimestamp(property) {
  return incomingData()[property] is timestamp;
}

function isPath(property) {
  return incomingData()[property] is path;
}

function minSize(property, value) {
  return incomingData()[property].size() >= value;
}

function maxSize(property, value) {
  return incomingData()[property].size() <= value;
}

function maxlength(property, value) {
  return incomingData()[property].size() <= value;
}

function minlength(property, value) {
  return incomingData()[property].size() >= value;
}

function max(property, value) {
  return incomingData()[property] <= value;
}

function min(property, value) {
  return incomingData()[property] >= value;
}

and then to use them to secure collections

match /users/{userID} {
  // USE THIS isValidData() WHEN TO VERIFY DATA COMING IN TO FIRESTORE
  function isValidData() {
    return isCurrentUser(incomingDataID()) &&
    (isNotNull('name') && isString('name')) &&
    (isNotNull('email') && isString('email')) &&
    {... all other data in the document ...} &&
    (isNotNull('createdAt') && isTimestamp('createdAt')) &&
    (isNotNull('updatedAt') && isTimestamp('updatedAt'));
   }
  
  allow read: if isLoggedIn();
  allow write: if isValidData();
}

Basic concept but can be build upon. Can give a better answer if i know the models and how it's setup. Based off what you said you can check if the incomming user id is in the list of parents of the child document for example to see if the parent can access the childs document if that makes sense.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Firebase: How do I register my Flutter app in app check? How categorize registered users on firebase and flutter How to block users by app version in Firebase How to contact concrete app users with Firebase? How to secure firebase authentication Flutter: How to set firebase uid to users document id? How do I get only followed users with flutter firebase How change the Firebase project for an app on flutter How does different users get their own data in Flutter Firebase? Firebase Login Register App with DeviceID
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM