I'm trying to develop a real-time anonymous queue with firebase real-time database. The concept is when a person visits my webpage, it will generate a UUID and insert a record at firebase DB. Based on the position of the UUID, I will determine that user's position in the queue. Here is the sample of the documents:-
{
_random_key_1: {
uuid: '47c044c7-da32-4e37-a416-cb2d621e0e39',
is_finished: false
},
_random_key_2: {
uuid: 'bcb8e01f-7745-43aa-9897-fd217d755769',
is_finished: false
},
_random_key_3: {
uuid: 'cdf754bd-4626-4da1-b676-9ebe87927a04',
is_finished: false
},
}
Here, the position of the user with queue id cdf754bd-4626-4da1-b676-9ebe87927a04
is 3. When someone in front of a queue finishes his thing, I will update his queue object with is_finished: true
and recalculate the position of everyone else connected to this DB.
For example, let's say the first user (47c044c7-da32-4e37-a416-cb2d621e0e39
) finishes his thing. Here is how the documents will look
{
_random_key_1: {
uuid: '47c044c7-da32-4e37-a416-cb2d621e0e39',
is_finished: true
},
_random_key_2: {
uuid: 'bcb8e01f-7745-43aa-9897-fd217d755769',
is_finished: false
},
_random_key_3: {
uuid: 'cdf754bd-4626-4da1-b676-9ebe87927a04',
is_finished: false
},
}
Now, the position of the user with queue id cdf754bd-4626-4da1-b676-9ebe87927a04
is two because there is only one person with an unfinished task in front of him.
The problem is since I'm all of this from frontend (because I'm expecting heavy load at the application and not planning to overload my backend server), anyone can steal my firebase credentials and maliciously set is_finished = true
to everyone in front of him.
How do I prevent such a scenario?
CodePudding user response:
You can use either Firebase's server-side security rules to control what users can write. Since these are enforced on the server, users can't bypass them from the client-side code.
For example, if a user should only be able to add an item with is_finished
set to false, you can use a validation rule to enforce that. This does require that you can distinguish regular users from the user that processes the queue items, so typically means you'll either want to use Firebase Authentication to identify them - or run the processing code with one of Firebase's Admin SDK in a trusted environment (such as your development machine, a server you control, or Cloud Functions/Cloud Run that Renaud mentioned).
Also consider using Firebase App Check, which makes it much harder for a malicious user to run their own code with your configuration keys. While this will help against abuse, it is not a guarantee that all malicious use is eliminated, so you should still take the approach described above too.