1

I am using Firebase realtime database rest API on the client-side. I noticed that you need to send the access token on the URL and this info is exposed on the request.

Is this a secure way of using the REST API? Is there another more secure way of accomplishing this?

Here is the documentation: https://firebase.google.com/docs/reference/rest/database#section-param-auth

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Glauber
  • 552
  • 5
  • 11
  • What exactly do you mean by "secure"? What are you trying to prevent from happening? What are your security requirements? – Doug Stevenson Aug 14 '19 at 15:43
  • Maybe it is a noob question, but I guess I am trying to understand if sending the access token is ok in terms of web security. What happens if someone intercepts the request and get the user token and use it to access data? – Glauber Aug 14 '19 at 17:30

1 Answers1

1

When you see "https" at the front of the URL used for the API, that means the data is encrypted and can't be intercepted. So passing data along with the query should not pose a security problem in terms of someone gaining access to your key.

However, if you ship a client app that contains the key, you are basically giving it away to anyone who has your app, as it's always possible for someone to reverse engineer your app and gain access to all data inside it. To avoid that, you should be using Firebase Authentication and security rules to determine who can access the data in your database.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • I am already using Firebase Authentication and security rules, so I guess this should not be a problem. Also, the token I am using is the user access token that I get from firebase.auth().currentUser.getIdToken(true). This solution should be ok, correct? – Glauber Aug 14 '19 at 18:24
  • That should be OK. – Doug Stevenson Aug 14 '19 at 18:26
  • According to the answer of this question https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl, it isn't a good idea to use sensitive information on the query string (because some servers save that information). Is there a way to use authentication headers on the rest API call? I tried that but I got unauthorized error. – Glauber Aug 16 '19 at 22:30
  • There are no other servers involved other than those at Google that are serving the request. – Doug Stevenson Aug 17 '19 at 14:46