0

I want to make my website be "locked" as long as someone is not logged in. The implemented login system uses Google Firebase so I have some easy and secure of letting the user log in.

Currently I coded an if statement that redirects you to the login page if you're not logged in. I know that it could be easily bypassed as the script is client-side so I wanted to ask what the best way would be for me to make this process more secure. I thought about using a script to insert the whole html into the page when the user is logged in but this also means that the whole html is going to be in a client-sided script which is no good. 

auth.onAuthStateChanged(function(user) {
  if (user) {

    if(window.location.href =="login.html"){
    mail = user.email;
    window.alert("on login logged in. redirecting to index User Email: " + mail);
    window.location.replace ("index.html");

    }
  } else {
    window.alert(window.location.href);
    if(window.location.href !="login.html"){
    mail = null;
    window.alert("not on login and logged out. Redirecting to login page Email: " + mail);
    window.location.replace = "login.html";

    }
  }
});
Peki
  • 25
  • 6

1 Answers1

1

If your website is hosted on Firebase Hosting, then all files are public. There is no way to prevent a user from accessing specific files. See Firebase Hosting - password protect website? and Can Firebase hosting restrict access to resources?

That said, the secret information is typically not directly in your HTML, but in other resources you load from a server, for example from a database. And if the database you use is from Firebase (Cloud Firestore, or Realtime Database), you can ensure that only authorized users can access the data by using Firebase's server-side security rules. If you're using another database, or your own backend to serve the data that needs to be protected, look into verifying ID tokens in your own back-end code to ensure the user it authorized to access the data.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks a lot Frank! Are you saying that I should upload the HTML of everything but my Login.html onto the database and then create rules that let the .html files be inserted into the server for certified users? In my case, the whole website is supossed to be the "secret information". – Peki Jun 18 '19 at 14:44
  • You shouldn't store HTML in the database. But your HTML typically isn't the secret information, it's the data that you have inside that HTML that is secret. If you dynamically generate the HTML from a template and data (which is the common approach for web apps), then you can protect data access in the way I outlined. If you want to secure the entire web site, Firebase Hosting isn't a good fit for you, as it doesn't support this. – Frank van Puffelen Jun 18 '19 at 14:54