How would you prevent users from spoofing a username in Firebase?

Question

How would you prevent users from spoofing a username in Firebase?

How can I prevent a user from spoofing the username by submitting something to Firebase using, say, a valid auth uid but the wrong "username"?

I could ONLY store the UID, but then I would have to force the client to look for all UIDs all the time. It would be ideal if I could somehow verify that the specified username matches the username in the log.

Ideally, I would make a rule that looks like this:

{
    "rules": {
        "chat":{
          "messages":{
            ".read":true,
            ".write":true,
            "$message":{
              ".read":true,
              ".write":true
              ".validate": "newData.child('name').val() == auth.facebook.displayName"
            }
          }
        }
    }
}

But the auth variable does not contain the username.

+3

firebase firebase-security

Garett Apr 22 15 at 21:04

source to share

1 answer

Frank van puffelen · Accepted Answer · 2015-04-22T21:40:11+0000

In most cases, developers save complete information about all users under a /users

node in their Firebase. For example.

/
  users
    twitter:478645678
      username: "puf"
      displayName: "Frank van Puffelen"
  chat
    messages
      -J328764236789
        author: twitter:478645678
        name: "puf"
        message: "Hello world"

With this structure, you can cross-reference the username to /users/<uid>/username

:

".validate": "newData.child('name').val() == root.child('users').child(auth.uid).child('username').val()"

How would you prevent users from spoofing a username in Firebase?

More articles: