How to protect the Realm app id?

Debashish_Palit · July 19, 2021, 3:05pm

Hi All,
I have a simple question. When using the realm sdk for web, I need to specify the Realm app id in my frontend app. Can this be misused? If the realm app rules allow inserts, then what prevents someone from spamming my collection with inserts from his own app?

Rgds,
Debashish

Mohit_Sharma · July 27, 2021, 12:03pm

@Debashish_Palit : Welcome to the community.

Realm App id can considered as private property your app and shouldn’t be exposed, but can it misused is hard to answer.

Multiple features are available that can help you prevent such situation like

MongoDB Realm doesn’t allow unauthenticated user access to the Realm Sync.
You can enforced document structure validation while writing information.
Development Mode should be disabled while realising app to production.

Freddy_Mansilla · July 7, 2023, 6:13am

its safe to share the APP ID in to the frontend code?, its a good practice to paste the APP_ID direct in the js script or its necessary to use a environment variable .env

PD: assuming that authentication by email or other system is enabled
thanks

Mohit_Sharma · July 7, 2023, 10:59am

@Freddy_Mansilla: I wouldn’t recommend hard coding the APP ID.

Freddy_Mansilla · July 7, 2023, 10:44pm

if im working only with a frontend webapp page, without a backend server.

how is the best alternative to connect with mongodb api and don’t share the APP_ID in the js script? is there an alternative? does mongodb app services hosting has a tool to save environment variables?

what is the best scheme to work and get safe?
thanks to answer I really appreciate.

Luca_Scalenghe · January 29, 2024, 12:41pm

Hey @Freddy_Mansilla have you found a solution to that? I’m stuck with the same problem actually

Freddy_Mansilla · January 30, 2024, 11:53pm

check this @Luca_Scalenghe

link: Web SDK - Realm App ID - #2 by nlarew