Possible to change Firebase callable Functions data on Front End?

manpreet Best Answer 2 years ago

I'm using Stripe and Firebase Function for payment. My current scenario for buying items in my app looks like the following.

• Loading an Item, which is an firestore document with an Id and a price
• User clicks on "Buy now for price", enters credit card information and confirems
• I get a stripe source with an id, which to my knowledge contains information about the credit card
• I call my firestore callable function and pass the stripeSourceId, itemID and the item.price
• In my function I check if the user (from context) is authentiated, then I charge the user and save the bought item in the user data, to deisplay the item later

My concerns are the point 4. Is it possible for a user to hack my front end code in a way, so that after stripe returns the sourceId, the hacker would call the function with a different price or a different itemId to get a different item for another price? If that is the case, how could I fix this problem?

manpreet 2 years ago

Anything you pass from the client to the server, can be changed by a malicious user. That's why you should never trust any data that comes directly from the server.

The solution is to only pass the itemID from the client, and have the server look up the price based on that. If the malicious user passes a different item ID, they'll just be buying a different item, but still at the price that you have set.

I highly recommend watching Five tips to secure your app from the Firebase Summit 2018 for more tips on securing your app.