How to prevent unauthorized read/writes for (MongoDB) database?

Question

Let's say I have a MongoDB Atlas database connected to my server, and Firebase as authentication. My Firebase server logic can check if user is logged in or not. Good. But how can it check if the request to read or update data from the MongoDB database is authorized?

Let's say someone knows my server location and makes a request to increase the 'score' value of a certain user +1,000 in MongoDB (where it is connected to). The malicious-request-person did this by signing in with Firebase Auth credentials, then using the returned access key + secret (i.e. he passed the Firebase authentication) in combination with the malicious custom code to overwrite the database; there was nothing stopping him from accessing the entire database (i.e. he was fully authorized). How is this prevented in practice?

Perhaps I am missing something here but it appears that tools like Firebase/AWS Amplify Cognito allow you to authenticate, but they do not allow you to effectively authorize use of non-Firebase/non-Cognito services..? I am trying to see how this works in practice ...

Answer 1

In practice, you'll probably want certain tiers. What you're probably looking for is having an API. The API would use the Firebase authentication, but you would restrict all database transactions to come from an authorized user, which would be the API. From there, you can restrict permissions based on certain users and all that logic would be handled by the API.

The key here is that your user should have restricted permissions and your API should mediate his request. A user should never have direct access to the database, this is highly dangerous for your data, especially if it contains anything remotely sensitive.

Your question is very open ended, so I would highly suggest you read on software architecture principles.