4

Here I am working on yet another client project, that requires no-backend. I'd like to use Firebase because it does everything we need, and in fact we've already built most of the microsite.

We didn't want to require our users to enter email, as we believe it's giving up too much identifiable information. Instead what we do is assign a @users.ourdomain.com email at sign-up & sign-in IF the user doesn't want to provide their own email address and remain more or less anonymous but still can access the site and their data again if needed. The microsite is a one-time experience (maybe two if you show your friends), nobody will come back in a year with a forgot password, so that's irrelevant for this situation.

I've come to realize that there's no way to fully secure the createUserWithEmailAndPassword function, as anyone can spam it and create tons of accounts and use-up all usernames or emails. Is there any way to incorporate a captcha-alike system without implementing a separate backend / token auth for Firebase?

The only solution I can think of right now is to fire up AWS Lambda just to handle Captcha & Tokening. But of course any solution that will remove the necessity of a backend is more preferable. Has anyone else run a similar problem before? If so how did you end up solving it?

Many thanks for your time, happy coding.

johnozbay
  • 2,192
  • 1
  • 25
  • 28

1 Answers1

7

Firebase Authentication supports the authentication providers listed in its documentation. There is no built-in captcha support for its email+password provider. But to be honest, it sounds like you could reach most of your stated goals with anonymous authentication, which will be a lot simpler.

Aside from that you seem concerned about malicious user creation. While that is definitely a possibility, it has no impact on a well designed app. Authentication (knowing that you are you) has no impact on authorization (what you are allowed to do). For a good answer on that topic, see How to prevent other access to my firebase

Community
  • 1
  • 1
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Looking deeper into Anonymous Authentication, I've realized there's an option to convert to permanent account. Pretty much solves our biggest problem. Thanks a million! – johnozbay Feb 22 '17 at 15:44
  • 1
    @Frank van Puffelen , there is any built-in way to prevent malicious user creation? captcha is the only custom solution i can think about,there is any built-in security way to prevent it? like try to log the androidId,deviceId or other factors that firebase can know about? – yarin Jul 09 '17 at 14:39