Home > database >  How to prevent a malicious user from pushing data into a document in Firebase?
How to prevent a malicious user from pushing data into a document in Firebase?

Time:03-23

I am using a front-end Firebase to create a document not integrated with node at this point, I am trying to solve the issue of preventing a malicious user from posting in the document that I am creating from the front-end, I mean the front-end in my app can create data and push them to the Firestore but what my concern is a user that will intentional push data into the collection or even causing a unnecessary writes to the document what I thought about is making a cloud function that will check if the model of the application is in certain shape (my default shape since you cannot make a model like in mongo) and if someone model will be different the account and the whole document will be deleted and the user will be regarded as malicious. I would also like to know what will happen if the document size is exceeded? will exceeding the size stop the database from adding data to that doc or what is the accepted behavior in this case ?

  const AddGroup = async (//some data) => {
    try {
      const docRefCol = doc(db, //some collection, //some document in side colletion);
      // Add
      await updateDoc(docRefCol, {
        //Some melicious data or data that the user decied on pushing by abusing the front end logic
      });
    } catch (error) {
      errorHandeling(error, 'An error has happened');
    }
  };

CodePudding user response:

You cannot prevent anyone from making update requests to Firestore but if you have security rules setup then that should not be an issue. If you are referring to your document's structure, then you use hasOnly() to prevent user from creating any new fields in your document.

allow write: if request.resource.data.keys().hasOnly(['name', 'age'])

For example, the above rule will only allow name and age field to update in updated document.

In cases like a field is an array, then you'll need some other logic like max array size or some sort of rate limiting to prevent spam data being pushed in an array.

what will happen if the document size is exceeded?

It won't update and the SDK will throw an error.

CodePudding user response:

Take a look at Firebase auth and implement it.

Link - https://firebase.google.com/products/auth Documentation - https://firebase.google.com/docs/auth

Or Implement a custom authentication system in your Node backend

  • Related