1

Let's say I have a very secret website for only a limited amount of people, my family for example, who only can log in. I am the admin of creating accounts via Firebase Auth.

But then, someone notices the Firebase credentials in my frontend code to initialize the app.

So the "Hacker" initializes an app from it at his localhost and creates a user with his email address. Now he is able to log in and can do all this other mentioned methods here to my very secret website, right…? How to prevent this?

Royal
  • 367
  • 2
  • 6
  • 15

1 Answers1

1

I have created a trigger via cloud function that listens on user creation and disables new users.

If you create a new user you need to enable the user in your firebase console.

Function code:

const onCreateHandler = (user: admin.auth.UserRecord, context: functions.EventContext) => {
  if (!user.email) {
    return null;
  }

  return admin.auth().updateUser(user.uid, {
    disabled: true,
  });
};

export const authUserCreatedTrigger = functions.region(functionsRegion).auth.user().onCreate(onCreateHandler);

With this method the user / hacker can't log in after registration.

You could also log the user creating in firestore and send yourself an notification (email) :)

You could also implement some custom access logic that is stored in firestore or custom user claims, which your frontend can use to decide what the user can or can not see.

Norbert Bartko
  • 2,468
  • 1
  • 17
  • 36