0

I have a project where one app needs to access multiple databases sharded across multiple firebase projects. Now since it's the same app, i can't use the same SHA1 across all the projects where i add the app.

I do not add any google-services.json files for any of the projects, instead i fetch the database url, the storage bucket info, the api-key and the appids for each project from my own server which keeps a track of all the sharded firebase projects.

My question is, with just this much information, can anyone just authenticate to firebase?

There's no SHA1 protection so is my db even safe even with the auth!=null rule? (since anyone can initialize FirebaseApp with this info and get a FirebaseAuth instance and sign in anonymously). In summary for this one, can anyone just make an app of their own, use the info and access/manipulate my database?

How can i secure my app if it's not secure with the current configuration

Kushan
  • 5,855
  • 3
  • 31
  • 45

2 Answers2

2

Yes, that should be enough information to create a web app that connects to your database.

But this should not be a problem if the database rules and auth providers are the right ones for your case. For example:

  • If you don't want anonymous Users to authenticate with your app, disable the option in the Firebase console.
  • If you want to give access only to a limited set of users without enabling new signups (or if you have special requirements for auth) then user a custom auth provider.
  • If you want to limit access to certain parts of your database (or need different user roles) adjust your database rules.

I hope that answers your question!

marcorei
  • 343
  • 2
  • 17
1

After a little research and a little brain storming, i came to the conclusion that Oauth domain which by default is localhost and the firebase-app domain will prevent anyone from directly authenticating to my Firebase app.

Even if the api-key and other info is exposed, as long as the service-account is hidden, the auth-domain will protect my app since the auth-domain will cause the authentication from a non-authorized domain to fail. Maybe I'll even want to remove the localhost in production :)

Kushan
  • 5,855
  • 3
  • 31
  • 45
  • Just a thought, but wouldn't you be able to go to your firebase app domain, inject the javascript on the 404 page and sign in anonymously that way? – marcorei Dec 24 '17 at 15:14
  • I don't know how javascript injection works so no idea man... Anyway i found this from a similar question for Web, https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public . Anyway i simply have no other way to restrict people. I guess having the services-json file always has some amount of risk, but it's kind of nonoptional. – Kushan Dec 24 '17 at 15:18