Securing your next React Native app
If you are a fullstack developer like me, you always should consider securing your server & client so no database breaches or bad things happen. Lets checkout the fundamentals first.
Never trust the client. Anyone can alter client logic, reverse engineer what your client does and learn how to pretend one. In backend, you should never trust a incoming request and you always need to verify its coming from trustworthy source.
JWT Authentication
You need to implement some sort of JWT authentication, this can be with firebase or other types of auth providers, I always prefer firebase even if there is no signin, i just use anonymous auth. Also, this token should expire in 30 minutes tops. You need to make sure to send this token in every request client makes to the server. Even for a little thing, verify this token first.
Firewall & Server protection
If you just rented a server, your first immideate step should be setting up firewall, allow ports 22, 443 and 80. Do not ever expose database ports. Client should not directly be able to connect to the database. Have your backend do the db work. Disable password login and enable key login. Maybe implement fail2ban package if using password. Use cloudflare for ddos protection. I also use cloudflare to generate SSL certificates for my server. It’s a miracle.
Rate limit
Allow max 30~ requests per minute. You should implement this because of bruteforce attacks & preventing heavy load on backend.
Save devices in your database
This is optional, but i tend to keep each device in my database, each device has its information such as follows: deviceId, isEmulator, osVersion, brand, and this list goes. isEmulator is the key part here, you can gather this info from react-native-device-info. Yes, you should not trust client but atleast this is a way to get rid of some percent of attacks.
Allow max 3~ signups from same deviceId
If your app suits this, users should not be able to abuse your signin system, so allow max value per deviceId, if its exceeded, then disable all users with that deviceId and block any incoming requests with that deviceId.