Secure invite system

[shresthabijay]

In the current invite system, we have one single collection /invites that are readable and writeable by any user. Anyone with an app token can access and update the invites. This defeats the purpose of private invites. So we need the following things:

• Prevent creating more than three invites per user using the firebase rule.
• Prevent users to read all available invites from /invites.
• Allow only users with redeemed invites to use the resources.
• Prevent invited users to access the app. However, allow developers to access it.

[shresthabijay]

Firebase cannot limit the number of entries in a collection. So it is not possible to limit using firebase security rules.

Possible approach

• Any user can sign in using any method but only users with a redeemed invite can access the app. It is because firebase cannot actually prevent users from signing up. Instead, we depend on the custom claim in user token to allow access to signed-in users.
• Store list of invite codes associated with a user in /user_invites/${userId}. Only readable by the owner user.
• Store list of all invite code data in /invites. Make /invites path non readable, but make/invites/${inviteCodeId} readable. That means no user can see the full list, but any user with an invite code id can read data of that specific invite code data. Also, the invite code should be writable.
• A firebase function to generate three invites for a user. Populates /user_invites/${userId} and also creates entry in /invites. This function should be guarded by id token.
• A firebase function to redeem the invite code. It will take the invite code id and userId(who is claiming the invite), then updates the invite code data in /invites. It also updates the claim in the user token.