11

I am working on deploying my Node.js app into production. We had been running into some CSRF issues but after looking deeper into the problem and learning more about CSRF attacks, I'm wondering if we even need to perform these checks.

Our API is whitelisted from our CSRF checks so our mobile apps that rely on the API can run properly (we're working on securing that currently). On the web frontend, we allow our users to register/log in and create/edit their data. We use Firebase's email/password authentication system to perform authentication (https://firebase.google.com/docs/auth/web/password-auth). As I understand it, this means we don't have to worry about CSRF attacks on registering and logging in because Firebase handles that. My question is: if we make sure our users are authenticated with Firebase on each Post route in our app, does that mean we don't have to worry about CSRF attacks?

user3858610
  • 175
  • 1
  • 14

1 Answers1

43

CSRF becomes an issue when you are saving a session cookie. Firebase Auth currently persists the Auth State in web storage (localStorage/indexedDB) and are not transmitted along the requests. You are expected to run client side code to get the Firebase ID token and pass it along the request via header, or POST body, etc. On your backend, you would verify the ID token before serving restricted content or processing authenticated requests. This is why in its current form, CSRF is not a problem since Javascript is needed to get the ID token from local storage and local storage is single host origin making it not accessible from different origins.

If you plan to save the ID token in a cookie or set your own session cookie after Firebase Authentication, you should then look into guarding against CSRF attacks.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • 1
    Awesome thank you! That makes sense. Just wanted to make sure we're not misunderstanding anything – user3858610 Jan 29 '18 at 19:09
  • If this answers your question, please select it so others who have similar questions can benefit from the same answer. Thanks. – bojeil Jan 29 '18 at 23:01
  • The flip side to this is that, we are then vulnerable to XSS attacks right? – alex067 Mar 02 '20 at 15:12
  • @alex067 XSS is a different problem and this answer does not make your website more exposed to XSS attacks. If you do have an XSS vulnerability however the above answer has less effect, but that was not the question answered here. – Jens Jun 29 '20 at 07:12
  • relevant docs: https://firebase.google.com/docs/auth/admin – Patrick Michaelsen Nov 04 '22 at 03:23