1

I'm building a web app that will allow users to create online orders. When used as intended, the order will be submitted once the payment is processed.

I'm concerned that a user will be able to bypass the payment step by grabbing the Firebase API key and their own Firebase Auth JWT and be able to attack the database.

I know that Firebase Auth will store the JWT in the browser, but is this viewable in the dev tools? If so, can someone grab that and combine it with the Firebase API key to make manual posts to the database? Do they need to decode it first?

Marcus Gallegos
  • 1,532
  • 1
  • 16
  • 31
  • 1
    1) Anyone can authenticate with the built-in providers once they have your API key, which is readily accessible (and [meant to be](https://stackoverflow.com/q/37482366/209103)). But that does nothing more than prove (for whatever level of proof that provider requires) who they are. It only grants them access to your database, if the security rules of your database allow that. Don't mistake authentication (proving who you are) with authorization (allowing a known user access to specific data/services), as the two are quite separate in Firebase. – Frank van Puffelen Feb 21 '19 at 16:12
  • 1
    2) To copy a JWT from the browser's dev tools, the user would have to have access to your browser instance. I'd say you have more concerns at that point than just the JWT of this user in your Firebase project. Same with concerns about intercepting tokens on the wire. Since all traffic from/to Firebase goes over SSL, interception would require someone being able to decrypt your traffic (so have access to your cert) at which stage the problem is a lot bigger than just your Firebase tokens. – Frank van Puffelen Feb 21 '19 at 16:13
  • Thanks @FrankvanPuffelen! I hadn't realized how interchangeably I was using the terms authentication vs authorization. To your point, I will only authorize authenticated users to post to a certain Firestore collection using the built in security Rules. I still am not clear, **once they authenticate, could they grab the JWT created by Firebase and stored in their browser to then manually make posts to Firestore?** This would be problematic because I only want users to post after they have made a payment. – Marcus Gallegos Feb 21 '19 at 17:33
  • @FrankvanPuffelen To your second comment, what you do mean by "have access to your certs?" I'm hosting on Firebase, I don't think I need to worry about intercepting traffic, right? – Marcus Gallegos Feb 21 '19 at 17:37
  • 1
    @MarcusGallegos the JWT is an authentication token. If they grab the token while it is valid, they will be able to make valid requests to any firebase service directly. The JWTs do expire within an hour though, so they would only a limited window before having to refresh the JWT through your app. However, this isn't any different than any other authentication token based system that doesn't sign each request. – ricosrealm May 23 '21 at 01:29

1 Answers1

1

Yes, the API keys are public for Firebase and anyone could authenticate (theoretically) and spam your database. With that said, you can use Security Rules to dictate if/where they can post.

Marcus Gallegos
  • 1,532
  • 1
  • 16
  • 31