Updating User's Info without allowing user write ability

Question

How could you setup rules on Firebase which would allow a user to become a paid user of your app? For example, if I have the following data structure:

{
  users: [
    {
      isPaid: false
    },
    {
      isPaid: true
    }
  ]
}

How could you setup firebase rules to not allow the user to update it themselves (by fudging a request), but still allow it to be updated automatically when they "pay" for your app?

I've thought about randomly generating a number and asking the user to enter that number or something like that, but I don't think that would work... Has anyone done something like this?

Answer 1

You'll need to have a server process that securely writes the paid flag using a Firebase secret (that can be found on Forge for your Firebase). Set the ".write" rule for /users/isPaid as false - the server code can bypass this rule since it knows the secret. You should call firebaseRef.auth(secret) from your server code first.