How to secure anonymous DB Insert in Realm?

Hi there,

I am facing an important question as a result of following action:
By registering a new user signup process, user enters First name and last name as well as email and password.
Then all this fields expect password are being saved in custom user data collection. This insertion is done by anonymous user since they are in the new user registration process.
Now the question is how safe is this approach and if it’s not safe how can we secure this insertion. If there is a better approach how to consist these properties please say a bit in details.

Kind regards, Behzad

Hi @Behzad_Pashaie,

Why does an email user needs to authenticate anonymous?

Is that part of registration phase?

I would suggest using standard sdk registration for user signup.eg. node sdk :

https://docs.mongodb.com/realm/sdk/node/advanced/multi-user-applications/

Thanks
Pavel

Hi @Pavel_Duchovny,
Yes this is part of user registration process which is follows:
user fills the sign up form with Name, last name, email and password. By submitting the form we need to save
the first name and last name. While Email and pasword are rquired to register the new user with webSDK.
Butthe SDK doesnot provide any solution for saving the custom data at registration and user confrimation step at least as i have gone thorugh many times.
Can you please say a bit in details how to save first name last name before user confrimation?
Thanks,
Kind regards, Behzad

Hi @Behzad_Pashaie,

Well you can use a confirmation function flow to save user data in the custom data collection via the atlas service. But if you can’t pass this information to that function I can think of 2 ways:

  1. Use anonymous authentication to write the data with the userId after registration to a temp collection and than use an on insert trigger to the collection to populate the custom data collection.
  2. Setup a webhook on http service and provide the details of the newly registered user. Have the flow calling that webhook to register the details.

Thanks

Hi @Pavel_Duchovny,
Thanks for the answer, Step 1 is exactly what I have implemented. But then the question is anonymous write/insert to that temp collection safe?
Still a bit unclear.
have nice day forward,
Behzad

@Behzad_Pashaie,

Make sure you secured it properly and allowing only fields and types that cannot harm your data.

You can only allow appending to that collection and the user id could be a unique index…

Hei @Pavel_Duchovny,
thanks :slight_smile: .

1 Like