Clever Geek Handbook

How secure is firebase with auth?

I'm not sure where to start, but I recently saw "Firebase" when searching without a server-side database, although I think I'm interested, I was a little worried about putting my api codes directly into js files, which is obviously maybe but i read that you can change read / write rules and need authentication. so i don't worry about the API anymore after reading some pages

but the main question is:

I wanted to create an admin portal for my page, so my example admin page is at localhost / admin / <<<The page will just have a login form that is for accessing the portal, so everything is installed

var config = {
    apiKey: "",
    authDomain: "",
    databaseURL: "",
    projectId: "",
    storageBucket: "",
    messagingSenderId: ""
};

firebase.initializeApp(config);

firebase.auth().onAuthStateChanged(function(user) {

      if (user) {
      window.location = '/portal.html'
      }

      else {
      // Do nothing
      }
});

$("#loginbtn").click(function() {

var email = $('#login-name').val();
var password = $('#login-pass').val();

firebase.auth().signInWithEmailAndPassword(email, password)
    .catch(function(error) {
  // Handle Errors here.

});

});

So, when I login successfully, it will redirect me to this page, but can anyone just look at the source code and then go to that page manually and enter it?

Or even if I intend to create a single page application and you decide to change the state of the page after login, whatever functionality I intend to do after that, can someone else find out and enter the code?

I don't know much about this, but this is what I was thinking about before starting my project, is there also another way?

+3


source to share


1 answer


If you want to add admin capabilities and use a realtime Firebase database, you need to set up some custom Firebase rules to allow admins to access restricted data. This way, if a non-admin user signs in, they cannot modify / access only admin data. One way to do this with Firebase rules is to have a /whitelist

node s uid1: "bojeil@bla.com", uid2: "puf@bla.com"

to store all white admin IDs and then top level security rules for restricted admin only nodes, for example ".write": "auth != null && root.child("whitelist').child(auth.uid).exists()"

. It's pretty simple, but it goes a long way.

Unless you are using a real-time database and building a traditional web application, you need to protect limited admin resources. You will need to send the Firebase ID token to your server. This can be done by setting a session cookie with its value and making sure to update this session cookie every hour or so when the Firebase ID token is updated. When a cookie is sent with your request, you validate it, decrypt it (you can use the Firebase Admin SDK to do this) and make sure the user it belongs to is an administrator. If so, you can allow access, otherwise you will block access. On each page, you must add an onAuthStateChanged listener. If these are null triggers, you are redirected to the login page.If the session cookie contains an id token for a non-admin, you can redirect the HTTP server to your server to a non-admin section.



TL; DR; you need to perform verification on your backend by sending a Firebase ID token with the request and double-checking that its user has the appropriate privileges.

+3


source






More articles:


All Articles