Query regarding database security

Hi,

I have one application requirement, wherein I want to store one particular token count (say token name ABC) at user level in one collection.
And basis this ABC token volume, I am categorizing users in different levels. Hence this collection becomes very critical, and should not be accessible/modifiable by anyone outside the system.

I plan to get this collection updated using the cloud function. Few questions I have:

  1. How to define the security parameters for this collection. I have gone through the security documentation, but could not find anything relevant for when we want to update this using cloud function.
  2. For getting user category level, I can create a function in cloud function. But the issue is- in case if this is being called from frontend, it will be accessible by all, and for all the users (assuming I provide address as input to this function. Any user can modify this address, and start hitting api to pull all the info)
  3. Any other recommended approach for this.

Thanks in advance.

Hi,

You can write some code at the beginning of the cloud function that checks who is making that request, or if a specific secret key was provided as parameter, so that not everyone can call that cloud function.

But if my cloud function is called from frontend, then we can’t pass this secret key.

The way I’m planning to do is that I create one trigger (say beforeSave for one of the collections) in cloud functions. And within this trigger, I access user’s token ABC count (using smart contract call), and store this in one different collection (say UserTokens)

Now the requirement is: I don’t want to expose this UserTokens collection to anyone outside. It should be accessible only from the cloud functions.

Is this possible to do this? If not, how can I achieve this entire functionality?

you can restrict the access to a Table with CLPs and ACLs: https://www.youtube.com/watch?v=Yd4gFQ5ppmQ&ab_channel=MoralisWeb3

Thanks for the reply. I already went through it.

But my question is- If I remove Write permission from this UserTokens collection with CLP, can I still access it from cloud functions? I still want to write data to this collection, but only from cloud functions.

And since this write process is part of trigger (beforeSave) which will happen for all entries made to that collection, I can’t define ACL in this UserTokens collection for any one particular User.

Please let me know if my understanding is correct, and suggest some solution to this.

you can do anything from cloud code using master key

1 Like

Okay, thats great to hear! This will definitely fulfill my requirement then. Thanks a lot.

Can you please share a sample cloud function code, with master key used.

https://docs.moralis.io/moralis-server/cloud-code/cloud-functions#using-the-master-key-in-cloud-code

1 Like

Thanks a lot mate! Appreciate your efforts.