Security Improvements To PB Website And Repo

[SkySingh04]

• Put validation Checks in the API and the frontend code
• Make sure the recaptcha, works properly so there will be a rate limit mechanism
• one email address can register once only
• implement CSRF token for all API endpoint
• Remove those API that prints out the entire db, if it is an admin functionality then put the nesscary auth mechanism there

[SkySingh04]

We also need to update the firebase rules to enable read/write only for authenticated users

[SkySingh04]

so in short, you guys need to

• remove db calls, validation from the frontend
• auth calls is ok
• this means your firebase config will still be public
• learn about firebase service accounts - https://firebase.google.com/docs/admin/setup
• configure firebase rules to only allow db calls from the service account
• this will make sure even if someone tries to call the db using the publicly available firebase config, firebase will block it
• use firebase functions / AWS lambda to call the db using the firebase admin SDK
• set up some APIs to interact with firebase functions or AWS lambda

[SkySingh04]

Progress Update :
-> Removed all Db calls from frontend in #117

[SkySingh04]

Progress Update:
Validation checks moved to backend in #128
Recaptcha Implemented in #75
Implement CSRF token for all API endpoint : Marked as will not fix

[SkySingh04]

Validation from frontend removed in #130