1

I have a question regarding my Firebase setup, with respect to security and practicality.

The goal is the enable a user to purchase credits, and spend those credits one by one. To enable this, I set up a "users" object where I store user-data (name, address etc.), a "transactions" object where I store all the purchases (amount, time etc.), and a "spendcredits" object where I store the data connected to the user spending a credit (time, on what, etc.).

Since the App must know how many credits the user can still spend, I created a variable in the user-object called validCredits, where the current available credits should be stored. The user has read+write rights to his own user-object within "users" and read+write rights to his own object within "spendcredits". Only a different server has read+write rights to the "transactions" object.

So what happens is, the user purchases 5 credits. The server updates his validCredits variable with +5. The user spends a credit (-1), spends another (-1) and purchases 5 more credits (+5). His new validCredits amount is then 8.

I'm not sure whether this is a safe/optimal setup. I'm afraid that since a user has write rights to his own account, where the "validCredits" variable is stored, it might somehow be possible for him to add extra credits by increasing this value? Or can that be prevented by only allowing the user a "-1 credit" operator on this field?

I can also imagine that you might want to store everything in the "transactions" object, and just do a sum of all transactins when the App request the latest number of valid Credits? What is generally recommended for such a system with payments and credits?

t vm
  • 41
  • 3
  • This is a great question. How about a bit of clarification: Are you using Firebase Rules for verification or is it App based? What type of login authentication are you using? What platform is this? – Jay Oct 16 '15 at 17:55
  • You can use security rules to enforce a user only decreasing their `validCredits`. That said, this question is far too broad for SO. – Anid Monsur Oct 17 '15 at 01:27
  • @AnidMonsur Can you post an answer of an example security rule that would enforce a user to only decrease their validCredits? It's a good answer and would provide a possible solution to the initial question. – Jay Oct 17 '15 at 12:56

1 Answers1

1

The following rule can be used to enforce that a user can only decrease their validCredits by one at a time. I'm assuming that you have some way of distinguishing the server from a user, which is what auth.isServer represents.

{
  "users": {
    "$uid": {
       validCredits": "auth.isServer || newData.val() === data.val() - 1"
    }
  }
}
Anid Monsur
  • 4,538
  • 1
  • 17
  • 24