stackoom
  简体   繁体   中英

Firebase prevent malicious update in real-time database

 原文  2022-12-29 10:10:14       reactjs/ firebase/ firebase-realtime-database/ firebase-authentication

Question

I'm trying to develop a real-time anonymous queue with firebase real-time database. The concept is when a person visits my webpage, it will generate a UUID and insert a record at firebase DB. Based on the position of the UUID, I will determine that user's position in the queue. Here is the sample of the documents:-

{
    _random_key_1: {
        uuid: '47c044c7-da32-4e37-a416-cb2d621e0e39',
        is_finished: false
    },
    _random_key_2: {
        uuid: 'bcb8e01f-7745-43aa-9897-fd217d755769',
        is_finished: false
    },
    _random_key_3: {
        uuid: 'cdf754bd-4626-4da1-b676-9ebe87927a04',
        is_finished: false
    },
}

Here, the position of the user with queue id cdf754bd-4626-4da1-b676-9ebe87927a04 is 3. When someone in front of a queue finishes his thing, I will update his queue object with is_finished: true and recalculate the position of everyone else connected to this DB.

For example, let's say the first user ( 47c044c7-da32-4e37-a416-cb2d621e0e39 ) finishes his thing. Here is how the documents will look

{
    _random_key_1: {
        uuid: '47c044c7-da32-4e37-a416-cb2d621e0e39',
        is_finished: true
    },
    _random_key_2: {
        uuid: 'bcb8e01f-7745-43aa-9897-fd217d755769',
        is_finished: false
    },
    _random_key_3: {
        uuid: 'cdf754bd-4626-4da1-b676-9ebe87927a04',
        is_finished: false
    },
}

Now, the position of the user with queue id cdf754bd-4626-4da1-b676-9ebe87927a04 is two because there is only one person with an unfinished task in front of him.

The problem is since I'm all of this from frontend (because I'm expecting heavy load at the application and not planning to overload my backend server), anyone can steal my firebase credentials and maliciously set is_finished = true to everyone in front of him.

How do I prevent such a scenario?

1 answers

solution1
 0  2022-12-29 16:00:46

You can use either Firebase's server-side security rules to control what users can write. Since these are enforced on the server, users can't bypass them from the client-side code.

For example, if a user should only be able to add an item with is_finished set to false, you can use a validation rule to enforce that. This does require that you can distinguish regular users from the user that processes the queue items, so typically means you'll either want to use Firebase Authentication to identify them - or run the processing code with one of Firebase's Admin SDK in a trusted environment (such as your development machine, a server you control, or Cloud Functions/Cloud Run that Renaud mentioned).

Also consider using Firebase App Check , which makes it much harder for a malicious user to run their own code with your configuration keys. While this will help against abuse, it is not a guarantee that all malicious use is eliminated, so you should still take the approach described above too.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to save DropdownButtonFormField value to Firebase real-time database? How to add a new node dynamically in firebase real-time database Data is not display in the real-time database How to match phone number with the phone number present in firebase real-time database (react-native) How can I secure Firebase Real-Time Database Rest API? how do i write the data to Real-time Database firebase flutter? Firebase Real-Time Data Base & Storage Problem Python Real-time database onDisconnect not executing after logging out Read from real time database not working Firebase How can I fetch data from inside a node which the database.ref is listening to in my Firebase real-time database using cloud functions?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM