Security for collaborator email invitations

Question

I'm attempting to build a web app with Firebase along the lines of a collaborative to-do list. Groups of users each have a shared list, and for someone to have access to a particular list, they must either have started the group, or be invited to it. Invites would be sent via email, including to users who have not used the site before. My aim is to avoid server-side code and I'm using AngularJS. Each group's list would have its own URL.

Login to the site would be with Facebook or username & email. I assume there's a way to invite other Facebook users via Facebook, but I'd rather avoid a Facebook app and for simplicity would like to stick to a common invite system for users however they're logged in. Hence I'm intending the system to work like this:

An existing member of the group would enter the intended new member's email address. JavaScript would generate a random alpha-numeric token, and the token is used to create a new child of an invites Firebase location, like this

"invites": {
    "12345ABC": "Group Name"
},

with these security rules

"invites": {
    ".read": false,
    ".write": false,
    "$token": {
        ".read": true
    }
}

That way you can only read a token if you know it's there.

The email address and a URL for the group's shared list that ends with the token would be added as a child to an email-queue location in Firebase. Zapier (or similar) then detects this child added event and emails the recipient with the invite URL. The email_queue can only be read by Zapier or other cron-type-thing for the privacy protection of invite recipients. (EDIT: Zapier offers the option to delete the locations it operates on, and to save space I guess I'd use it).

A user who clicks on the link they receive is added to the group, once they have either logged in with Facebook or signed up for an account with email & password.

Is the above sensible or are there security holes I'm not seeing?

Side question: Because I can't see a secure way of maintaining a counter, would there be any way to stop a malicious user with a long list of email addresses from disrupting the system by triggering numerous invites, thereby reaching the email provider's send limit? (Zapier doesn't seem to provide for this).

Answer 1

yes there will be no way for a non invited user to guess a token if specified like the above. Make sure no read condition evaluates to true anywhere above the invites branch.

side answer:

I can think of a hacky way of doing it. If your tokens are fixed length, you can maintain another field which is a delimitated string concatenation of tokens that a user is going to send. Then to add a new invite, first append it to the collection string, then add it to the invites list. Use the security expression .contains to enforce that new token exists in the users invite token collection.

This is not a real-time way of doing things but for small invite lists it might be ok. Use security to enforce the size of invite collection to be below a certain size. Use some timestamp logic to allow the user to clear the list if its been a while since they last appended to the token list.