I understand that there are Realtime Database Rules which can be configured to restrict access to data at multiple levels. That's great.
firebase.auth().currentUser; properties to determine what
section, or whatever to switch from CSS
display:inline, for example. However, the HTML is already downloaded to the client so that's not really secure.
So, is the idea to go ahead and download the page but use Realtime Database Rules to determine if the page details gets filled with sensitive data? Is that the idea?
I have even stored markup (HTML) in the Realtime Database and that actually worked fine.
Any recommendations are appreciated.
Firebase Hosting doesn't have any kind of access control presently, and you're correct that the HTML/JS/CSS will all be downloaded even if you're hiding and showing it based on Firebase Auth state.
Depending on your application, that may actually be just fine! Since you can control what users actually do using Firebase Database security rules, it isn't really a big deal if users can dig into the code and see functionality that they can't actually utilize.
If it is important to hide the capabilities of the application, you could dynamically load JS/HTML from the database or Firebase Storage only after authorization.
©2020 All rights reserved.