0

Currently I have a user collection with user documents inside and each user has a currentPoints integer field that can get updated from inside the application via a button click

                                    transaction
                                    .update(couponCollectionReference, {
                                  'currentPoints':
                                      FieldValue.increment(10),
                                });

If someone decided to reverse engineer my app, can they just change the increment to FieldValue.increment(1000) instead, compile the app and just use it like that ?

I am wondering if I should just use cloud functions for the major of these operations

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
FlutterChicken
  • 57
  • 6

1 Answers1

0

Transactions are designed to protect against race conditions between multiple users, but are not a security mechanism against abuse.

You can catch many forms of abuse in the server-side security rules that you can write for your database. I've written secure voting systems with that, so likely your case can be secured through rules too.

If you search for the [google-cloud-firestore][firebase-security] tag combination, you'll find many questions about the topic.

That said, many developers new to Firebase's security rules are more familiar with securing access through server-side code, which is fine too.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thank you for responding Frank, so if I got this correctly, I can edit my security rules so that the only value that can be added to **currentPoints** is 10, and if anything else is tring to be written to it it will simply deny ? Also I was wondering if I have a boolean field **isVisible** inside a different collection that can only be read by users, and that field decides if a widget inside the app is visible or not, can a user just change that value to **true** instead of **isVisible** so the widget is always visible on his screen ? – FlutterChicken Jan 08 '22 at 16:42
  • Security rules don't control what is showing on your screen. But if your application code reads whether it needs to show that button from a fixed location in the database (so without a query), then your security rules can indeed enforce that the corresponding write operation can also only be performed under that condition. I recommend trying such operations, and posting back with a [minimal repro](http://stackoverflow.com/help/mcve) if you get stuck. – Frank van Puffelen Jan 08 '22 at 19:13
  • Thank you for taking out your time to shed some light on this worry of mine. I guess I still don't know enough about security that I worry about someone changing my code and being able to change anything they want in the firebase database – FlutterChicken Jan 08 '22 at 20:07
  • 1
    That is quite normal, but it's something we can't take away for you. I recommend reading the documentation ([1](https://firebase.google.com/docs/firestore/security/get-started), [2](https://firebase.google.com/docs/rules/basics)) watching these videos ([1](https://www.youtube.com/watch?v=PUBnlbjZFAI), [2](https://www.youtube.com/watch?v=vBUk293QSKY), [3](https://www.youtube.com/watch?v=1PEdd2rtG30), [4](https://www.youtube.com/watch?v=HyZQBC-KSuM)), and trying to build your own rules and then to break them. – Frank van Puffelen Jan 08 '22 at 20:18
  • 1
    The most important is usually to start from the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege): start with a fully locked down database, and then only allow exactly what your code does. For more on that see my answers to these questions ([1](https://stackoverflow.com/questions/69404979/what-security-rules-should-be-applied-to-reads-in-firebase/69407457#69407457), [2](https://stackoverflow.com/questions/70471480/nuxtjs-firebase-firestore-firebaseerror-missing-or-insufficient-permissions/70474221#70474221)) – Frank van Puffelen Jan 08 '22 at 20:21