Reputation: 3021
Use Firebase Security Rules to validate data before writing
Upon login through firebase, I obtained the uid from firebase. With that uid, I go into my database and grab more information about the user
-user
-9a0rzPh3g5bqclxsarzx6pvd03 <- this is the user id
-name: John Doe
-companyId: Microsoft
-uid: 9a0rzPh3g5bqclxsarzx6pvd03
-email: [email protected]
-managerEmail: [email protected]
Now my app has the detail of the user saved in a variable named currentUser.
As my app is a 'form' based app where user submits forms to manager for approval, when the user fills out a form, I save it to my firebase node based on the "companyId" The manager (James Bond) will then be able to query the pendingForms node to look for anything that is addressed to him
-forms
-Microsoft
-pendingForms
-KdAh5CCsbxvc1EVcbau <- this is the time stamped ID generated by firebase
-submissionDate: 72490175
-submistionNote: Please take a look
-managerEmail: [email protected]
-userEmail: [email protected]
Since my app is build on Angular 2 with Typescript, I believe my code is vulnerable to being modified. My concern is that once the user info is downloaded, the user is able to go into the code and change the "currentUser" variable's companyId to someone else's. Therefore, if he has access to the companyId and manager email of that other company, he would be able to submit the form to that manager just by manipulating the client side code.
I have been reading several firebase documentation in relation to the Security Rules API and User based security rule. The only way that I can see to resolve this is Custom Auth Token such as
".write": "auth.companyId === root.child('user/' + $companyId).child(auth.uid).child('managerEmail).val()"
However, I dont think this is is the best approach for me because I am not familar to creating extra servers for this. I was thinking if there is another approach such as adding the following logic to the security rule
- When firebase received the new date, firebase looks into the "managerEmail" field and get that value. -> newData.child('managerEmail')
- Firebase then use the auth.uid value to go into user/uid/managerEmail to see if this value matches the obtained managerEmail.
- If they are the same, that means the data has not been modifed at client side.
- If they dont match, that means the client has somehow modified the user variable
Upvotes: 2
Views: 702
Answers (1)
Reputation: 598728
The user can indeed change the uid in the client.
But Firebase's security rules are automatically enforced on the Firebase servers. And there is no way for them to fake the value of auth.uid in the security rules, unless they know the credentials to sign in as that user.
In other words: I can easily determine that your Stack Overflow user id is 7528750. But unless I also know your credentials (e.g. email+password), there is no way I can sign in to Stack Overflow and start posting as you.
Upvotes: 3
Related Questions
- Data validation issue Firebase RealTime Database rules
- Allow Create And Read in all the cases But don't allow update if the data does not exist in firebase real time database
- Validate Firebase with rules when data is written by firebase-admin
- Firebase Authentication Rules Using the Data Inside
- Firebase rules write/read
- Firebase rules and validations for update existing data
- Is it possible to modify data upon writing via Firebase Database Rules with ".validate" rule or alike?
- Validate data before insertion in Firebase
- Why data write isn't validated?
- Firebase security rule checking value of new data to authenticate