Is it safe to work with Firebase on the frontend?

G

gallantalex2017-05-09 00:17:46

JavaScript

gallantalex, 2017-05-09 00:17:46

There is a Firebase service that provides access to working with the database directly from the frontend (javascript). But how safe is it? Let's say a simple todo-list and the user has some tasks in it. Since the request to the database is sent directly from the client, the user can easily change the request condition and look not at his own, but at other people's tasks? As I understand it, this system turns out to be meaningless and a backend is clearly needed here?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

mitaichik, 2017-05-09
@mitaichik

Firebase has functionality for authentication and rights differentiation. If everything is done correctly, then the user will never receive other people's data. Everything is written in the docs.

R

RaulDuke, 2017-05-09
@RaulDuke

Since the request to the database is sent directly from the client, the user can easily change the request condition and look not at his own, but at other people's tasks? As I understand it, this system turns out to be meaningless and a backend is clearly needed here?

No not like this. FB has authentication during which each user is assigned a unique UID of the form "wqdMpNOP4vUG79a1Dv3vZtLU9rk2", this uid is used to configure the so-called Security Rules. For the task you described, they could look like this:

{
  "rules": {
    "tasks": {
       "$user_id": {
          // читать может только сам пользователь
          ".read": "$user_id === auth.uid",
         // писать могут все аутентифицированные и только создавать новые
          ".write": "auth !== null && !data.exists()"
       }
    }
  }
}

I hope I answered your question