Home > Net >  Could a malicious user be able to modify Firestore form front end functions?
Could a malicious user be able to modify Firestore form front end functions?

Time:03-12

I have this security concern with Firestore. The issue is could a malicious user for example inject data in to his document? Or even Worst having access to different collections? I know rules play a major part in here, but since I am creating docs/updating docs/deleting docs from front end could an abuse for crud happen in the context of the single user? Also there is another part; I want to create a userSub collection (from front end) it will have a subscription info.

UserSub/uid
Premium: true 
Enddate: 2 days form now

Could a malicious user get the uid from authContext and make crud ops to modify the mention doc in the collection to let’s say 10 days from now extending his sub? Since he knows what doc I am creating for those values (from source code in chrome)?

CodePudding user response:

You must not allow users to update their subscription information from client. This should be done from backend only for example, if you use Stripe for payment, you should use their webhooks which would send subscription information to your backend/Cloud function that would update users subscription in your database or Firebase Auth custom claims.

You must ensure that this data is read only from users side using security rules if using database.

Page link:https//www.codepudding.com/net/332762.html

Prev:How to find spesific Object type from string value contained in this object's properties
Next:how to change values dynamically in a flutter list view and firebase as well
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding