1

My user login system will automatically create a new document in the database collection when somebody signs up with a new phone number.

The creation and updating of user document is done through the client side JavaScript and I am using the firestore security rules for preventing a basic user from writing or modifying document properties like isActivated and isAdmin. It will work with below rule:

allow write: if request.response.data.isActive==null || request.response.data.isActive == response.data.isActive &&
request.response.data.isAdmin==null || request.response.data.isAdmin == response.data.isAdmin;

But still some hacker guys can easily modify the dbRef.add() function on the client side and add useless data like {age: "hacker won't tell ya", hackersName: "Naah!", foo: "bar", bar: "foo"} and so on.

I want the user document to hold only the properties name, phone_number, isActive, isAdmin, FCMtoken and nothing else. Did anybody else fall into the same trouble? and any idea for accomplishing this?

Jishnu Raj
  • 170
  • 3
  • 16

1 Answers1

3

To assert that a resource only has a certain list of keys, you can use rules.List#hasOnly() which will evaluate to false if a value appears that is not in the given list.

request.response.data.keys().hasOnly(['name', 'phone_number', 'isActive', 'isAdmin', 'FCMtoken'])

Combining this with your other (fixed) restrictions, gives:

allow write: if (request.response.data.isActive == null || request.response.data.isActive == response.data.isActive)
             && (request.response.data.isAdmin == null || request.response.data.isAdmin == response.data.isAdmin)
             && request.response.data.keys().hasOnly(['name', 'phone_number', 'isActive', 'isAdmin', 'FCMtoken']);
samthecodingman
  • 23,122
  • 4
  • 30
  • 54