0

In my frontend react project I exported a firebase instance :

firebaseApp.js

import * as firebase from "firebase/app";
import "firebase/auth";
import "firebase/storage";

export default firebase.initializeApp({
    ... <props>
});

Whenever I need to use firebase in my project, I do this :

import firebaseApp from "../firebase/firebaseApp";
[...]
await firebaseApp.auth().signInWithEmailAndPassword(email, password)

Knowing that Javascript is put client side as this is a frontend project, is there a way for people to open the browser console, access my instance of firebase and call for example :

firebaseApp.auth().createUserWithEmailAndPassword(email, password);

which will result in creating users without backend authorization, and allow bots to create users ?

Iow, can someone access a module instance from the browser and play with it ?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
lolo.io
  • 770
  • 5
  • 22

1 Answers1

0

It is indeed possible to take the configuration data from your existing web app, and use that to call the API in another way than your code does. And that does indeed mean that users can create accounts outside of your app.

Firebase makes a clear split between authentication (the users prove who they are) and authorization (the is is granted access to data). Firebase Authentication takes care of the former, while you use security rules (see below) or server-side code to take care of the latter.

For this reason you should never trust that the code that accesses your project is the same code that you wrote. So instead of assuming it's your application, think of what you want a user (no matter what code they use) to be able to do.

For example, if you're using one of the Firebase's databases (the Realtime Database or Cloud Firestore), you'd use their built-in server-side security rules to ensure any user can only access the data they're authorized for. In that case it doesn't matter if the user used your code, or wrote their own code: they'll have to follow those server-side security rules.

This is a common concern, so I recommend also reading some of these questions and answers:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thank you for your detailed answer. I only use Firebase Authentication on client side and I handle all data access and modifications server side. My only concern was that people might be able to access my firebase api to create a lot of users (which whould only be users on firebase auth, never stored in my app db), but this might overcrowd my firebase account and maybe lead to unnecessary fees. Im talking of some kind of attack creating thousands of users. Is there a way to avoid that ? I don't think security rules can. – lolo.io Oct 22 '20 at 13:32