Currently I have a user collection with user documents inside and each user has a currentPoints integer field that can get updated from inside the application via a button click
transaction
.update(couponCollectionReference, {
'currentPoints':
FieldValue.increment(10),
});
If someone decided to reverse engineer my app, can they just change the increment to FieldValue.increment(1000) instead, compile the app and just use it like that ?
I am wondering if I should just use cloud functions for the major of these operations
>Solution :
Transactions are designed to protect against race conditions between multiple users, but are not a security mechanism against abuse.
You can catch many forms of abuse in the server-side security rules that you can write for your database. I’ve written secure voting systems with that, so likely your case can be secured through rules too.
If you search for the [google-cloud-firestore][firebase-security] tag combination, you’ll find many questions about the topic.
That said, many developers new to Firebase’s security rules are more familiar with securing access through server-side code, which is fine too.