How can I secure my Moralis DB if a user can see my code?

xXNicolaXx · March 11, 2022, 9:44am

I saw the video tutorial about the security level/ACL/CLP, but I still have some doubts.

Let’s suppose I have a web game where a user log in with his wallet and then pay some tokens (like BNB, ETH or some other tokens) to buy some tickets to play the games on the website. So he pays 1BNB and he gets 100 tickets. Now in my code I update the “tickets” column for that user and set the value to “100”. But if the logged user see my code, he can easily call the same function I use to update the value, but passing 300 instead of 100 for example, and getting free ticket. How can I prevent that? If I disable read/write even for the current logged user, I suppose I can’t update the value when he buys his tickets.

Thank you!

cryptokid · March 11, 2022, 12:10pm

You need to use a different table for that, also to update that number of tickets based on what is on chain and not from a call from the user.

xXNicolaXx · March 11, 2022, 1:04pm

Sorry, I’m not sure I understood what you mean. What’s the difference if I use another table, and how should I use it?

When a user clicks on the “Buy tickets” button on the website, a metamask tx pops up and the user deposit his tokens for x tickets. I want to save the number of tickets the user has bought on the server rather than on a smart contract, so that he doesn’t have to spend gas for a tx each time he wants to play a game.

But I don’t understand how to save the number of tickets in the moralis server without letting the user modify this number if he manually calls the same function with a bigger amount for the tickets variable.

Do you have an example/documentation of what you mean?

cryptokid · March 11, 2022, 1:31pm

first step: user buys ticket, metamask pop ups, user makes the transaction
second step: you check when the user transaction made it on chain and you update the database with the corresponding info without any intervention from the user

xXNicolaXx · March 11, 2022, 2:35pm

Ok I got what you mean, and I had the same idea.
But for the second step, “you update the database with the corresponding info without any intervention from the user” -> this means I have some code on my website that execute this function.

So for example, the user buy the tickets, confirm the tx on metamask and then, when the tx is confirmed, I call this function (which is in my website, in one of my js files).

const Tickets = Moralis.Object.extend("Tickets");
const tickets= new Tickets();
tickets.set("amount", 100);
tickets.save()

But if a user sees my code on my website, he can easily copy-paste the code above in the console and do tickets.set("amount", 300)

How can I avoid this?

cryptokid · March 11, 2022, 2:46pm

that code runs on your Moralis Server, or on your backend, checks what transactions were made on chain and updates the database, that code doesn’t run in front end

xXNicolaXx · March 11, 2022, 3:12pm

Ah ok, gotcha. So I basically need to create a server that communicates with my front-end and updates the moralis DB. Thank you!

cryptokid · March 11, 2022, 3:16pm

I think that you can do that directly on a Moralis Server too, with jobs, afterSave hooks, event sync, cloud functions

xXNicolaXx · March 11, 2022, 3:19pm

thank you, I didn’t know about that! I’ll take a look at the documentation!