Reputation: 15
Firebase firestore and cloud storage: can an if else check be safe on client side?
I'll roughly explain the code of my app (react native with expo):
- I query firestore to get an X value of a certain document.
- on the client side I do the following: if X> = 100 then I query cloud storage to get a certain file, otherwise if X <100 I query it for another file.
Having one file rather than another is very important in terms of security. Do you think that step 1) can be altered (firestore response) or the malicious user can do something else to get the file he wants regardless of the value of X?
Upvotes: 0
Views: 95
Answers (1)
Reputation: 50930
Yes, anything on client side be changed and such simple if else statements are not good. What is that X you are talking of? Is it sometjime unique for each user? If yes then you should consider using Firebase Custom Claims along with Storage security rules. You store that value of X in user's Custom Claims along with Firestore.
Other option would be using signed URLs (basically having short likespan) using Cloud functions. When a user requests something check that value in Firestore through cloud function and if it satisfies the need, generate a signed url and return to user.
Upvotes: 0
Related Questions
- Firebase Cloud Storage download url vs path
- What's the difference between Cloud Firestore and the Firebase Realtime Database?
- Firebase Firestore and Cloud Storage: how to download a file from the Storage only if a certain field exists on the firestore?
- Error loading Preview in Firebase Cloud Storage
- How do you get client-side firebase cloud messaging token into google cloud function?
- Creating a cross-sdk wrapper for Firebase (Firestore, Cloud Storage, and more)
- How can I upload files to Cloud Storage through Cloud Functions and use Firestore to control access to Cloud Storage?
- Using with Firebase / Expo query to Cloud Firestore