0

I'm going to use Firebase in my Android project and i want to authenticate the user with signInWithCustomToken function.

I'll generate the token from my Admin SDK(Python) and return it to the user and the user will authenticate with that token.

My question is;

1 -> That token i generated with a key can be generated by only me? I mean is it unique to me?

uid = 'some-uid'

custom_token = auth.create_custom_token(uid)

Can someone create the same token as mine if he uses the same uid or is it always unique?

2 -> Can someone set fireabase.auth.uid variable manually, without using firebase.authenticate function?

I mean if someone gets the auth.uid but not the token, can he set that auth.uid in client to auth variable?

Thanks for the informations and answers...

Eagleclaw
  • 369
  • 1
  • 13
  • You may be interested by this answer https://stackoverflow.com/a/66185640/3371862 – Renaud Tarnec Mar 01 '21 at 09:53
  • Thats not what i'm asking for. My all sign-in methods are disabled in Firebase Auth. Only way to auth is to use my custom auth server build with Python using Admin SDK. I validate the user with my own login system, if user validated i create a token for that user and return it to user. Then user authenticates to Firebase with that token in Android/Kotlin. The key point that i'm asking is, can someone re-generate/clone that token without using my auth server(1) and can someone set his own auth.uid as the value he wants? Thanks for your help and answer btw. – Eagleclaw Mar 01 '21 at 10:15
  • As explained [here](https://firebase.google.com/docs/auth/admin/create-custom-tokens#before_you_begin) in the doc, "custom tokens are signed JWTs where the private key used for signing belongs to a Google service account". It's actually what R.S. explains below. If a malicious user tries to use a JWT (with an existing uid) that was not signed with this private key, the Security Rules check will fail. So the answers to the two questions in your comment is no. – Renaud Tarnec Mar 01 '21 at 11:00
  • So if i understand it correctly, noone can replicate the token i created, even if they know the uid, because while creating that token i sign it with my private key. And for the other question, since they dont have the token, they cant autenticate to firebase with only knowing uid. Am i right? – Eagleclaw Mar 01 '21 at 12:17
  • Yes you are right. (Of course you are responsible for correctly protecting your server and your Google account) – Renaud Tarnec Mar 01 '21 at 12:46
  • Ofc, i'll do my best to protect them. Thanks for your helps. – Eagleclaw Mar 01 '21 at 12:59

1 Answers1

2

1 - The custom token could only be duplicated if someone gains access to your serviceCredentials file, meaning they'd have full access to read/write your Firebase contents. If you create a token with the same UID from a different Firebase project, the tokens won't match.

2 - Someone may attempt to set the auth.uid variable manually, however, this is useless without the auth token its-self, which enables read/write on the database (depending on your Firebase security rules). Firebase documentation states that they will generate the auth token, and once again this cannot be done without having your serviceCredentials file.

Dharman
  • 30,962
  • 25
  • 85
  • 135
R.S.
  • 146
  • 2
  • I was thinking the set my database rules like this example. https://firebase.google.com/docs/database/security/rules-conditions#the_auth_variable `".write": "$user_id === auth.uid"` Isnt is safe enough? Do you have any recommendations? Btw your first answer was the answer that i'm looking for, thank you for that. – Eagleclaw Mar 01 '21 at 08:50
  • Database rules depend on what context you're in. For example, an alternate rule may be required if you're setting up a group where only selected members can edit the site. The case you mentioned is a very good example that can apply to most situations, the link you provided is quite solid with extra info. I also recommend performing checks in your back-end for more compound security, preventing 'not-allowed' actions where necessary before reaching Firebase; using a service account means more access and therefore more vulnurable points as compared to i.e. using pure JS. – R.S. Mar 01 '21 at 10:50
  • I already have an SQL server for almost all my app data with enough controls. I'm going to use Firebase for FCM(Push notification) and Realtime Database(for user presence). So i'm not in a complicated situation. All i need to do, set rules for, only user himself can add login connections to his path but every user can read that path. The example that i gave does what i want, i tried it. I'm trying to make sure that noone can bypass that without getting auth token from my authentication server. I hope, i explained my problem and concerns enough. – Eagleclaw Mar 01 '21 at 12:25
  • For #2 and comments: the `auth.uid` variable in security rules is determined by Firebase and cannot be spoofed from the client-side SDK. – Frank van Puffelen Mar 01 '21 at 16:19