I'm developing a multiplier board game (very similar to Chess). I'm using Firestore as the backend. I understand that to prevent cheating on the game, I need to put the game logic (validate legal moves, change turn, countdown timer) on the server-side and not on the client-side. Now, as I understand there are mainly two places to configure the server-side behavior in Firebase: Cloud Functions and Security Rules. I thought about using Security Rules to validate moves and Cloud Function to flip turn and countdown the time. I don't have much experience with Security Rules, but I think writing rules to validate moves would be too complex. Alternatively, I thought about preventing all write access to the Firestore from the client and writing HTTPS Cloud Functions for the client to call. For example, I would have a function for making a move. The client would call this function instead of writing directly to Firestore. I'm not sure how to go about this. What do you think?
0
votes
This statement isn't accurate to prevent cheating on the game, I need to put the game logic on the server-side and not sure where that information came from. If that were true then any data could be compromised. Rules control read/write access to your apps data that's stored in Firebase - they probably are not the right place to validate moves as there would (generally) be logic involved with that which would be handled by the app. e.g. preventing a bishop moving vertically on the board; you could probably pull that off in a rule but that would be better handled by a code level calculation
- Jay
Anyone with enough experience can mimic your client. This is not a problem with Firebase. It is the nature of software. Any accessible software can be reverse engineered with enough time and effort.
- 3li
You might find this answer helpful stackoverflow.com/a/40564807/4330274
- 3li
Yes - perfect answer and speaks directly to what I said That's why you secure access to Firebase data...(using Authenticaton and) security rules (for database or storage) to ensure they can only access the data they're authorized for.. Great answer which addresses your question pretty accurately. Check out the follup question & answer as well How do I prevent un-authorized access to my Firebase Database?
- Jay
Okay, so do you agree that we have to put the game logic on the server-side and not on the client?
- 3li
1 Answers
3
votes
As you said, there are two broad options:
- Validate the move in security rules.
- Validate the move in Cloud Functions.
Since security rules are close to Turing complete, you can express almost any requirement in them. But as your game rules get more complex, you'll see diminishing returns for implementing your game logic there. The declarative nature of security rules is just hard for most of us to get right.
So for more complex game rules I'd usually opt to have a code enforce them, in the shape of Cloud Functions. So in that case:
- The client writes a "game turn" to the database.
- The structure of this game turn is validated by security rules.
- The write operations triggers a Cloud Function.
- This Cloud Function interprets the game turn, and updates the game state.
- All clients then see the new game state.
Firebase's Doug Stevenson game a good talk showing this approach at Google I/O 2017: Architecting for Data Contention in a Realtime World with Firebase. While he uses the Firebase Realtime Database there (as Firestore wasn't released yet), the same approach applies to Cloud Firestore.
