Ionic + Firebase Database security + PayPal

I’m using Ionic 3 with Firebase Database and PayPal for payments. In my App users are able to purchase via PayPal listings offered by other users on the App (marketplace). I ran into problems with the correct Firebase Database rules I need to implement for my database.

On the one hand, when a given listing is purchased, the buyer needs to update the status of the listing to SOLD (so that no one else buys it again). On the other hand, on the owner of the listing should be authorized to edit his/her listing. There are the rules I have right now, which don’t really solve my dilemma.

    "explore": {
      ".read": "auth.provider === 'facebook'",
      "$listing": {
      	".write": "auth.provider === 'facebook' && ((!data.exists() && newData.exists()) || root.child('explore/'+$listing+'/UID').val() === auth.uid)",

Maybe there is a way to do it from the backend of Firebase Functions? Any advice on how to go about solving this problem will be greatly appreciated! Many thanks!

Hey, @dimitri320,

One of the solutions I see here is offloading that from the app to Firebase Cloud Functions, and you can set a more strict set of security rules and then bypass them using the admin SDK.

One thing to keep in mind if you’re calling those functions from the phone is that if the user’s app crashes mid-way, you’ll end up with a buggy listing.

To advice on how to set up your Firebase Security Rules, I’d need to know more about you’re database structure.


Hi @javebratt !
Thanks so much for your reply, and btw, I love your Ionic tutorials!

My Firebase Database structure is as follows:

  • listings
    —Listing Unique ID (generated by Firebase via push()
    -------Listing content (a few dozen items or so)

Can you advice how can I pass a PayPal return variable directly to Firebase Functions (cloud backend), without in between saving it in a Firebase Database?

Many thanks!

You can create an $http trigger in Firebase Cloud Functions that take the token (and the other information you’re sending) does what it needs with the token and then writes what you want to write to the database.

Now, on the security rules side, I think it comes down to creating a better database structure to handle what you want, that way Security rules don’t have to be weird.

I suggest you create the listings inside each person’s profile, for example:

  -profile: .......
    --pushGeneratedId: {
      //All other listing information

You can then set up a Cloud Function database trigger that listens to that node, and every time a user adds an item to their listing, the function should add the listing to a read-only list that only has the information you want public about the listing.

That way it’s easier to setup security rules because you can lock the entire user profile node so that each profile is only accessible to its creator.

Thank you!

And if you run into any issues feel free to ping me here, I’ll do my best to help :smile:

1 Like

Thanks so much for your follow up!

Unfortunately I can’t change the structure of my Database, due to it’s intrinsic nature, so I need to keep all listings together.

I feel what I need to do is:

  1. User makes payment on the frontend via PayPal
  2. PayPal sends a Webhook to my URL (Firebase Function)
  3. Firebase Function processes this request and as Admin writes to the node

What I’m stuck with is how to configure the PayPal Webhook. I don’t seam to find a way or a tutorial on this. As I only only need to specify the URL to send the data to but also some more data which PayPal received from the frontend.

Any suggestions on how to go about this?

Many thanks!!!

Haven’t worked directly with Paypal so wouldn’t know, don’t they have something like Stripe with stripe-checkout where the customer sends the credit card data to them and they handle everything and send back a token to you?