Recommended approach for admin area

I was wondering if there is a recommended approach to create something like an admin board using Realm. So my first thought was, that it would be good, to use the existing application and add an admin area there. But as I am really concerned about security issues there, I am a bit sceptical.

How would I protect my Atlas Functions to be used by accounts that should not? Is there something like a “power user”, I could create, that can just read/write anywhere?

Or would it be better to create a seperate web application, but then I have to redesign most screens from scratch. Example functionality I would need:

  • Check someones profile in case he/she got many reports
  • Interface to change the phone number of a user (using Firebase Admin SDK on the backend)

I wonder if anyone has experience and suggestions on how to deal with that.

You can make a function and set its Authentication (in the function’s Settings) to System, then in the function the context.user.id will show you which user has called the function (anyone can call it but the context.user will be securely set by Atlas). You can use context.user.custom_data.rank or .permissions or something like that to check which permissions this user has and based on that do any operation or return values from the function.

Use context.runningAsSystem() and context.user.id (which is null when running as system) to check wether the function was called by you from backend, or from any user client.

1 Like

Thank you for your insight. Would you recommend adding this functionality to the mobile app itself and put it in a secured area, or create a web app whose sole purpose is this admin area? It comes with it pros and cons. And I would like to get others opinions on it.

When I put it into the app, I can use screens that I am used to know but make things complicated within a production app.

If you want to put an admin area in the user’s app depends entirely on who has to use it.
If only you and specific people can use it, you shouldn’t put it in the same app but make a new special app just for the admin area or, like you said, a custo Web interface for that.
2 reasons for that:

  1. you want to keep app size as small as possible to attract more downloads and users
  2. if you put the admin area in the app, some people can easily reverse engineer the app (there’s not really a “secured area”) and then see all the possible options you put in the admin area. This gives people with bad intents insights into your app’s backend structure which otherwise there would be no way for them to know. This could help them plan better attacks.

Also it’s super easy to make this admin area in a special app, because you don’t even have to upload it to Google Play. Just install it directly to the admin’s devices. Or just make it a web interface.

Otherwise, if it’s an area some users you don’t know personally will probably get access to, it might be better to implement it in the app. It would be securer but maybe harder to use for those users if you just give them access to the web interface.

Thank you again for your insight. Yes it is indeed only for a specific group of users, so I will go with a web app.

1 Like