Get started
We are having lots of fun on Discord. Come and join us!
Star on GitHub 45.1K Get started
Back

What's the point of creating a Platform if every mobile client app can access Appwrite?

  • 1
  • Android
  • Flutter
  • Apple
View on Discord
『SixthSense』
6 Dec, 2023, 05:49

At first I thought that we have to create a platform to let the mobile client app with the correct bundle id or package name have access to Appwrite. But that's not the case. I deleted the Flutter iOS app platform. How come that when I run the app, it stilll has access to Appwrite? I expected the app to not have access or fail fetching data from Appwrite. This mean that all I need is an endpoint, project id, a client SDK. Boom, nothing prevents me accessing people's Appwrite service.

TL;DR
User is questioning the purpose of creating a platform if any mobile client app can access Appwrite. They suggest implementing a sha1 key for increased security. They provide a link to a GitHub issue discussing this topic. OP suggests that Appwrite should have a solution similar to Firebase's sha1 key system to ensure that only real apps can access data. Some users mention that creating custom logic and implementing rate limits can help prevent abuse. OP asks for more details on implementing this logic through Appwrite functions. Suggestions are given to prevent fake app logins and restrict access to public collections through permissions. OP suggests that Appwrite should have an inbuilt Google
Shubham
6 Dec, 2023, 06:31

i also have same thinking , appwrite should have google integerity api inbuild in it , so that only real app can get data .

Drake
6 Dec, 2023, 09:41

This is typically how REST APIs work. If you need to prevent access, you should do so with permissions

『SixthSense』
6 Dec, 2023, 09:51

Ahh, I see. But we don't really have ways to prevent access to public collections? Since my client app doesn't use authentication, I need to make the collections to be readable by "any". Also I don't want others to abuse freely my Appwrite service for which I have to pay. Any suggestion for my use case?

Shubham
6 Dec, 2023, 10:37

I want to prevent users from creating account and login in my app from fake app , which permission we should set in appwrite?

Drake
6 Dec, 2023, 11:14

Please create a separate post

Drake
6 Dec, 2023, 11:17

There's probably no way to block all abuse. You can make it harder to abuse if you use an Appwrite function and putting your own rate limit somehow

『SixthSense』
6 Dec, 2023, 11:49

Can you please explain it in a little bit details? What kind of logic do I need to run via Appwrite functions? I think putting the rate limit will also affect all client apps, right?

D5
6 Dec, 2023, 12:01

You can create your own logic to handle it, so you can make it per account, etc

Shubham
6 Dec, 2023, 12:27

if i have to make login system by myself , then what is benefit of using appwrite . like firebase there is sha1 key so that only real app can access data , appwrite should have this type of solution .

D5
6 Dec, 2023, 12:28

I mean logic

D5
6 Dec, 2023, 12:29

Sha1 key can be bypassed to probably

D5
6 Dec, 2023, 12:31

Give this a 👍 too: https://github.com/appwrite/appwrite/issues/4791

Shubham
7 Dec, 2023, 04:52

but getting a sha1 key is hard i think , may be it will bipass but it increases security

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more