I saw the mention of Google's CEL for authorisation and permission, however woul... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		p2hari on Aug 22, 2024 \| parent \| context \| favorite \| on: Show HN: InstantDB – A Modern Firebase I saw the mention of Google's CEL for authorisation and permission, however would like to know a little about security. Apart from the appId, can I restrict call to db by domain etc. Firebase has protection on such things . somebody should not just take the appId and start calling db.

stopachka on Aug 23, 2024 | [–]

We don't currently expose the `domain` a request comes from in permissions, but we'd be happy to add that in. I've opened up a ticket here [1].

[1] https://github.com/instantdb/instant/issues/18

noah32 on Aug 23, 2024 | [–]

having abused a number of firebase databases I can say that the domain restrictions that firebase has don't do anything at all.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact