Home > Enterprise >  Is Firebase Database ServerValue Increment function safe in client-side?
Is Firebase Database ServerValue Increment function safe in client-side?

Time:01-03

I'm creating a simple game of tapping which should add a number to a Realtime Database key each press. I recently came across the increment(delta: n) function. But running it in clientside javascript will make it vulnerable. Or am I wrong? Doesn't it mean that players could edit their program and change the delta of the increment?

I thought I should run a back-end program on Cloud Firestore using the https.onCall() to execute the increment by calling a http request, but I realise that it is slow.

What is the best way of doing increment/transaction operation to avoid user tempering the program?

CodePudding user response:

Any database access that you code into the client-side application can be circumvented by a malicious developer. While a tool like Firebase App Check is a good deterrent for such abuse, it is no guarantee - a sufficiently motivated malicious user will find ways to work around it.

So what you instead will need to do is enforce the operation on the server, where you can be guaranteed that the API calls are doing what you actually intended. Putting the code in Cloud Functions is one way to accomplish that indeed, but another alternative is to implement security rules for your database. These are automatically executed by Firebase on its servers any time your client-side code tries to access the database, so there is no way for a malicious user to bypass these security rules.

For example, if you want to ensure that writes always increment the call by one, that'd be something like:

".write": "newData.val() = data.val()   1"

There are many more things you can do in these security rules, and I recommend that you develop them in tandem with your client-side application code. Check the documentation and the embedded video, to learn more.

  • Related