8

I am using Firebase Auth for a web app that involves financial transactions. Thus, security is the most important thing for my app. According to this doc, Firebase can persist its token across multiple sessions by storing it somewhere. It does not mention how safe it is from XSS. Of course, I can just assume it's safe because it's Google, but I want to know more about it.

We've all read articles noting how localStorage is unsafe for storing auth, and cookie + csrf token + jwt + httpOnly is more secure way to handle auth for browsers.

How does Firebase store its token? Does it use localStorage or cookie, or combination of both?

Joon
  • 9,346
  • 8
  • 48
  • 75
  • I've noticed when you use a private browser, the user info and the tokens are stored in a secure cookie, not the indexed DB. – anasqadrei Aug 11 '20 at 01:57

1 Answers1

7

Firestore save the token in an Indexed DB (https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API). The DB is named "firebaseLocalStorageDb", the object store is named "firebaseLocalStorage", and the key firebase:authUser:[id].

For further code review, check out https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/src/authuser.js .

R. Wright
  • 960
  • 5
  • 9
  • 1
    On the security side, I think there is a lot of debate on cookie vs. local storage. (https://stackoverflow.com/questions/44133536/is-it-safe-to-store-a-jwt-in-localstorage-with-reactjs), so it's probably not simple/clear cut to call it secure or not. – R. Wright Oct 02 '18 at 00:29
  • 1
    and another good one - https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf?rq=1 – R. Wright Oct 02 '18 at 00:37