2

I'm curious about this from a general development perspective of how to secure access to online resources. We initialize our webapp with the following firebase configuration parameters:

  • apikey
  • authdomain
  • projectid
  • databaseurl
  • messagesenderid

How does the server use these to ensure that the requests are valid? Mainly why can't someone else just fish these parameters out of the application and then create another "Evil" application that uses the same parameters for "Evil".

"Evil" would include creating a different app with the same credentials fished up of the real app, signing up users against the same credentials contained in the real app using the plain email / password signup form, and then once the users are signed in doing even more "Evil".

Also simple node express js application and we wanted to secure access to it using the above parameters how would that work from an application request lifecycle perspective?

1) Express receives request

2) Express checks that ...

Lastly is any of this part of how openid-connect works? In other words is it following the openid-connect spec at all or is a custom based security solution built specifically for firebase?

Ole
  • 41,793
  • 59
  • 191
  • 359

1 Answers1

5

These configuration parameters do nothing more than identify your Firebase project on the various servers. They are not in any way meant as an authentication/authorization mechanism.

See my answers here:

You'll note that most of these point to Firebase Authentication for authenticating users, and then server-side security rules for authorizing their access. With both of these in place, it doesn't really matter anymore what code performs the access. If the user is authenticated against the same back-end, and the data access adheres to your server-side security rules, it means it follows the rules you set, no matter whose code it is.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807