I'm using Stripe and Firebase Function for payment. My current scenario for buying items in my app looks like the following.
Loading an Item, which is an firestore document with an Id and a price
User clicks on "Buy now for price", enters credit card information and confirems
I get a stripe source with an id, which to my knowledge contains information about the credit card
I call my firestore callable function and pass the stripeSourceId, itemID and the item.price
In my function I check if the user (from context) is authentiated, then I charge the user and save the bought item in the user data, to deisplay the item later
My concerns are the point 4. Is it possible for a user to hack my front end code in a way, so that after stripe returns the sourceId, the hacker would call the function with a different price or a different itemId to get a different item for another price? If that is the case, how could I fix this problem?
Anything you pass from the client to the server, can be changed by a malicious user. That's why you should never trust any data that comes directly from the server.
The solution is to only pass the itemID from the client, and have the server look up the price based on that. If the malicious user passes a different item ID, they'll just be buying a different item, but still at the price that you have set.
I highly recommend watching Five tips to secure your app from the Firebase Summit 2018 for more tips on securing your app.
Related
I need a solution, I'm developing an online course selling app, and I want to unlock the course when users purchase the product. how do I do that, I've received Firebase autogenerated course id when the new course and each episode were added. so how do I implement this logic?
and I locked the course using if else widget checking.
here is how I done that
I also have no idea this is the right way to do this,
how do I implement this logic to the app,
Save list id courses of user data, and check if list id exists on user data when user access the course then unlock this
I am using firebase as a backend for my Android App. And this app is a social media app where users can post, comment & like. so I am storing user data in user_collection and this collection is secured by security rules where if uid == auth.uid (any user can only access data of himself).
Now in this app when a user post something every user can see this post. And in post_collection I am saving userId in post_doc.
So the problem is I need to show name of user to other users and I have only userId but the problem is a user can't get name of other user by uid beacuse of security rules. now I have to solutions for this please tell me which one is better or you can also suggest any other solutions also?
I can use cloud functions getUserNameById() (Problem : I need to call this function very frequently in feed when user scroll)
I can store name also in post_doc (problem : when user changes his name then It will show old name in old post)
Thanks for you kind help
In a scenario like the one you describe, I would typically store the user name in each post doc. I would also ignore updates to the name, as I think of the user name in the post doc as a historical value: this is the name the user had when they posted this. Now you may want different behavior of course, in which case I recommend reading: How to write denormalized data in Firebase
Your approach with Cloud Functions is fine too, and quite common in some situations. But I tend to only use Cloud Functions for reading data, it the read operation itself is particularly complex, which isn't the case here. In a case like this, I'd recommend coming up with a data model that allows the use-case and security you want.
For example: if you create a collection usernames where each document has the UID as its document ID, and then contains a single field with the username for that UID, you could implement the lookup of the user name through Firestore.
So you could have:
Store the full user profile in /users/$uid.
Store the user name in /usernames/$uid.
Have a Cloud Function that triggers when /users/$uid is written and that updates /usernames/$uid.
The client then has read access to each /usernames/$uid document, or even to the entire /usernames collection in one go if needed.
This way the names can be cached on the client, and continue to work when the app is offline, unlike in your approach with a Cloud Function that looks up the user name.
Consider the solution: whatever public data you need (author name, author userpic link etc) just save it with the post at the time it had created.
So your Message Pojo will looks like:
id
authorName
text
etc..
and just display this name (authorName).
It will be the bad way to go any time to User_collection folder to take the name even if there are would be not strict security (becouse it takes time and document reads)
I'm building a multisided app where people can sell and buy food. Thats the shortest summarize possible.
When an user make a food order to a restaurant and this order has been marked as dispatched, the app generates a comission on the restaurant profile in firestore.
When the commission is created it triggers a background firebase cloud function that check if the restaurant has an active billing cycle, if not, it creates one like this:
billingCycle: {
openDate: 'the moment where the fee was created',
endDate: '4th day after' //
}
This object its created in the user profile (with correct date) and works ok!
Now I want to emit an invoice when the date of the endDate prop value arrives, here comes the question.
How can I trigger a function when the date of the endDate meet?
I was thinking in moving that decition to the app. That way the app detects when its time to trigger while is using it, but what if the user is not?
How can I trigger the firebase cloud function for emit the invoice independent the interaction of the user with the client app?
I've researched a lot to find an answer but I didn't find anything related so any kind of help is so much appreciated.
*This is the first time Im using FCF.
You can use an onUpdate trigger on documents that may get updated that way. Write code in the function that checks, on every update, if the dates match in the document. If the dates match, emit the invoice, then update the document again with a flag value that indicates the invoice is emitted.
You will also have to use that new flag to determine not to emit the invoice again on further updates (otherwise your function will send an invoice every time it's updated, when the dates match - this boolean will indicate that it already happened).
I am trying to fetch "Email Performance Report" from the platform
using API to analyze the KPI's like CTR etc by type of the email
(newsletter,email marketing etc).
I went through the documentation, however I didn't find endpoint from
which I can fetch the same.
Does anyone know if there is a way to get this information?
There is no endpoint to query reports directly. However, the good news is, that the “things” that make up an “Email Performance Report”, namely: email delivery, bounce, open and click are available to query via the API.
This means that you have to build the report yourself, but you can fetch the dataset to work on.
These “things” are called activity types (activity measured on a Lead) and can be fetched by querying against the Get Lead Activities endpoint, which is also mentioned as the Query in the API docs.
It sits at the GET /rest/v1/activities.json url and you have to pass a nextPageToken and the activityTypeIds as query parameters.
The nextPageToken indicates a datetime. Activities after that date will be returned by the call. To obtain one, you have to make a call to GET /rest/v1/activities/pagingtoken.json, where you have to specify the earliest datetime to retrieve activities from. See more about Paging Tokens.
To figure out the value of activityTypeIds, you first need to get the internal Ids of the activity types you are interested in. In order to do so, you have to query the GET /rest/v1/activities/types.json endpoint and look for the activity types with names like Send Email, Email Delivered, Email Bounced, Unsubscribe Email, Open Email and Click Email. (I don't know if these Ids are changing from instance to instance, but in ours these are from #6 to #11).
Once you have all of these bits at hand, you can make your request like that:
GET https://<INSTANCE_ID>.mktorest.com/rest/v1/activities.json?activityTypeIds=<TYPE_ID>&nextPageToken=<NEXTPAGE_TOKEN>&access_token=<ACCESS_TOKEN>
The result it gives is an array with items like below. Items can be filtered to specific email based on the primaryAttributeValue property and processed further accordingly.
{
"id":7370416,
"marketoGUID":"7170506",
"leadId":291305,
"activityDate":"2017-12-17T00:00:00Z",
"activityTypeId":11,// #11 = `Click Email`
"campaignId":1790,
"primaryAttributeValueId":1638,
"primaryAttributeValue":"EMAIL_NAME",// Name of the Email as seen in Marketo
"attributes":[
// …
]
}
I have been tasked with using Google Analytics to report of use of a desktop app so we can see which parts of the program are being used and how heavily, and potentially also see which companies are using which parts of the program (each company has a unique companyID). Ideally I'd like to be able to look at correlations (e.g., How many users who use report A also use process B?)
I currently have my program set to fire off a call to analytics. I've set it up to use the event tracking, but I'm open to app/screen tracking or something else if something would work better. I'm passing values like
v=1
&t=event // Event hit type
&tid=UA-XXXXX-Y // our ID; real code has valid value here
&cid=12345 // CustomerID
&ec=JobFinancialReport // Event Category
&ea=Run // Event Action
&el=Manager // Event label
&ev=7 // Event value
What I can't figure out is how in Google Analytics to set up reports that would show me something like:
CustomerID Category Label Total Hits Unique Users
12345 JobFinancialReport Manager 27 2
12345 MarketingReport1 Manager 6 4
I'm totally new to analytics so pardon my ignorance if I have some key misconception here. I've searched Googles sites and other questions here, but I may be wording my question incorrectly so I'm not finding something that's there. This is only one example; in some cases we might want to see how broadly each customer is using the program; in other cases we'd want to take the customerID out and just see how much a particular report is being used overall. Appreciate any guidance. Thanks.
The "cid" parameter is the client id, the value that is used to stitch single interactions into sessions and users.
The first problem that comes to mind with your setup is that the client id is not exposed in the user interface (with the single exception of the user explorer report) or the API.
You would need to implement this via a custom dimension (probably user scope, since it probably will never change for a given user) where you pass in the client id (you still need the cid parameter).
Then you could create a custom report (or create a report in Google Data Studio) with the custom value as primary dimension and your selected metric.
If you want to report "Unique Users" you would probably need to create a cid per logged-in user (if all users of the app have the same cid then you will always have but a single user reported). You should then probably create a second custom dimension for the company id, so you can segment your reports by company.
you can use custom reports in google analytics to get your desired output. here is how to create custom reports https://support.google.com/analytics/answer/1151300?hl=en