How to isolate firebase variable from browser console
I'm working on a project using firebase services and I realize that the firebase variable (or object, not so sure) is accessible from console of the Chrome. This will cause some security issues, which lead user to sabotage my app like adding data/deleting data that not supposed to be happen. I believe this can happen not only on firebase variable, but also any other variable (in general).
I've been reading articles about IIFE, but on this case is not working and making firebase still available. My question is, How can I prevent this from happening?
The attackers can access the firebase variable from the console, but you can set up security rules to keep your database safe. There is a video on this topic that Fireship made on youtube => click here
Attackers will be not able to write data if you will set up security rules. It's available for both Firestore and Realtime Databases and for Storage. Docs: https://firebase.google.com/docs/rules/basics
You can restrict access to DB with next lines:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
But if you want to restrict to several fields - you can restrict access to defined properties. Also, you're able to restrict access for not authorised users.
service cloud.firestore {
match /databases/{database}/documents {
// Allow public read access, but only content owners can write
match /some_collection/{document} {
allow read: if true
allow create: if request.auth.uid == request.resource.data.author_uid;
allow update, delete: if request.auth.uid == resource.data.author_uid;
}
}
}
Also, you can write unit tests for rules to test if they work correctly.
And many-many more