0

I am starting to learn about JWT and I was wondering if some one got a hold of both my id token and refresh token, could that someone access firestore or other firebase resources pretending to be me indefinitely(until the refresh token is revoked)?

If so, how does firebase prevent this from happening?

I can't help feeling that the if someone could get my id token, it's not that hard to access the refresh token as well.

dshukertjr
  • 15,244
  • 11
  • 57
  • 94
  • Yes. An attacker can impersonate you if they get hold of access and/or refresh token. This answer covers some ways of handling the tokens on client device in a secure way: https://stackoverflow.com/a/54258744/1235935 – Saptarshi Basu Dec 24 '19 at 02:20

1 Answers1

2

All communication with Firebase APIs are over HTTPS, which means that no one can listen in on that communication. It is secure. If someone got both a fresh ID token and a refresh token, then could impersonate you when making calls to Firebase APIs.

However, no one can get your ID token or refresh token unless you make a security mistake. For example, leaving your computer unlocked while you're signed in would be a bad idea. Or, having a password that's easy to guess. Use all the standard security precautions, and you won't have a problem.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Thank you for your answer! I have one more concern though. https://firebase.google.com/docs/auth/admin/manage-sessions Here, it says "suspect a wide-scale leak of active tokens". In what kind of situations could this occur? – dshukertjr Dec 25 '19 at 00:49