0

I'll roughly explain the code of my app (react native with expo):

  1. I query firestore to get an X value of a certain document.
  2. on the client side I do the following: if X> = 100 then I query cloud storage to get a certain file, otherwise if X <100 I query it for another file.

Having one file rather than another is very important in terms of security. Do you think that step 1) can be altered (firestore response) or the malicious user can do something else to get the file he wants regardless of the value of X?

Carlo Casadei
  • 5
  • 1
  • 3

1 Answers1

0

Yes, anything on client side be changed and such simple if else statements are not good. What is that X you are talking of? Is it sometjime unique for each user? If yes then you should consider using Firebase Custom Claims along with Storage security rules. You store that value of X in user's Custom Claims along with Firestore.

Other option would be using signed URLs (basically having short likespan) using Cloud functions. When a user requests something check that value in Firestore through cloud function and if it satisfies the need, generate a signed url and return to user.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84