1

Why is it possible to take firebase configs API key from my live project, use it in the firebase auth REST API and create anonymous user in my project?

I found that if you take API key from the client side firebase configs of any live system, and use it to call any REST API of firebase auth (API Docs: https://firebase.google.com/docs/reference/rest/auth) eg. Sign in anonymously, you will be actually creating user in that firebase project.

Tried solutions to prevent

  • I googled and learnt solution that I can apply referrer restriction to the API Key from GCP Console to prevent requests from other domains. Workaround to pass that security is use Firebase REST Apis with spoofed referrer using tools like Postman.

Root issue

I believe firebase should have some security settings to avoid others creating users in my project authentication section. Why is it like that? Am i missing something?

Thanks in advance.

Jaydip Kalkani
  • 2,493
  • 6
  • 24
  • 56
  • Did you see https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public? While you're question is not exactly the same, most of the answer should be addressed there already. – Frank van Puffelen Oct 15 '22 at 12:16
  • Hi @FrankvanPuffelen Thanks for commenting. Yes I have seen that and also seen [this](https://stackoverflow.com/q/35418143/7804719) but My concern and question is, why is somebody being allowed to create user in my project? Is it the architecture issue or intentional due to some reason? – Jaydip Kalkani Oct 15 '22 at 12:30
  • Firebase is created to allow most common operations to be started from the client-side. That means you won't have to spin up servers, for such common operations. But you can control what is allowed, for example by not enabling certain auth providers, or by [implementing a blocking function](https://firebase.google.com/docs/functions/auth-events#trigger_blocking_functions) that validates users who try to sign up or sign in. But instead of asking why Firebase is the way it is, it's more likely we can answer if you tell us what you're trying to accomplish. – Frank van Puffelen Oct 16 '22 at 01:18
  • 1
    @FrankvanPuffelen I am trying to prevent anybody else other than my own client project from creating users in my firebase project. – Jaydip Kalkani Oct 16 '22 at 03:13
  • Until App Check is also available for Firebase Authentication, that is not an option. – Frank van Puffelen Oct 16 '22 at 11:13

0 Answers0