Reputation: 35991
How to make a geofire query from firebase and not from Android?
I'm trying to query a location db, geofire, but don't want the query fully open from the client's side.
If I allow the Android client to specify the point and radius (as specified here), I'm opening an app for a security breach, making it possible for any user to do whatever query it wants.
One way to prevent that is a server side query (i.e. radius isn't specified by client). But how can I do it with a server-less firebase architecture?
Any other idea to protect the queried data? Thanks.
Upvotes: 0
Views: 113
Answers (1)
Reputation: 598728
If you want run code in a trusted environment, without spinning up servers, you can look at Cloud Functions or Cloud Run, both of which have integrations from Firebase.
That said, I'd consider what the security risk is that you're guarding against.
The recommended data structure for GeoFire on the Firebase Realtime Database separates the geodata fro the other data of each tracked key in a structure like this:
"_geodata": {
"sf-muni:1040":{"g":"9q8yyhxbe5","l":[37.773846,-122.420868]},
"sf-muni:1050":{"g":"9q8zn6egkz","l":[37.807301,-122.415298]},
"sf-muni:8946": {"g":"9q8ympvrg3","l":[37.705044,-122.468231]},
...
},
"sf-muni": {
"vehicles": {
"1040": {"dirTag":"F____I_F00","heading":45,"id":1040,"lat":37.773846,"lon":-122.420868,"predictable":true,"routeTag":"F","secsSinceReport":6,"speedKmHr":11,"timestamp":1637368646567,"vtype":"train"},
"1050": {"heading":75,"id":1050,"lat":37.807301,"lon":-122.415298,"predictable":true,"routeTag":"F","secsSinceReport":3,"speedKmHr":31,"timestamp":1637368659567,"vtype":"train"},
"8946": {"dirTag":"28___O_F00","heading":88,"id":8946,"lat":37.705044,"lon":-122.468231,"predictable":true,"routeTag":"28","secsSinceReport":2,"speedKmHr":0,"timestamp":1637368660567,"vtype":"bus"}
...
}
}
So the _geodata node only stores an application-defined key for each location, and that is the only data structure that must be readable to all users (as you can't query data that you can't read). To look up the actual data for each key requires an extra lookup in this data model, which can then have its own security rules.
Only if you use data events (which I recommend against), are you joining the two types of data and thus end up with a single set of security rules for both of them.
Upvotes: 1
Related Questions
- How to do a geo-spital query on Firebase realtime database?
- Geofire is trigring onGeoQueryReady instead of onKeyEntered
- Make a query on Firebase database for Android
- Get Query in Firebase
- Geofire query multiple references
- Querying Firebase on Android
- Filter Data using GeoFire
- Android Firebase Query
- GeoFire and Firebase useage to locate nearest user
- GeoFire and Firebase Query