How do I configure Firebase-Security rules to limit 'what & when' users can write to Firebase data?

Question

I understand well how to limit which users have '.read/.write' privileges to various nodes in firebase-realtime-database using firebase-security. I am struggling to understand how to limit what users can write to nodes and when users can write to nodes.

I am developing an app that provides rewards to its users and I'd like to track a points balance that users can exchange for rewards. When the user completes a task on the app, it will increase a user's points balance. Increasing this points balance from the client will require '.write' privileges in firebase-security.

I know client-side code does not protect Firebase data from being manipulated. Would it be possible for someone to manipulate his/her own points balance value outside of my app? And if so, how would I prevent someone from increasing his/her points balance by any number of points? The only way I would think is to deny '.write' privileges to this user for the points balance and use firebase-cloud-functions to update the points balance server-side instead of updating the points balance from client-side code. What do you guys think?

Answer 1

Would it be possible for someone to manipulate his/her own points balance value outside of my app?

Yes, anyone with an internet connection can access the database. Access is not limited to the application, given that there is a REST API for public use.

how would I prevent someone from increasing his/her points balance by any number of points?

You can write security rules that restrict how the end user can write the database directly. If direct write access is not going to be secure enough (given that the client can simply falsify the data), you will have to implement some backend code to do this securely. Cloud Functions is certainly one option for that.

It seems that you already understand the security implications here. This is pretty standard stuff for most apps.