0

I am building a web app with firebase and I am looking to restrict access to firebase auth signup.

In theory a malicious user could make requests to the firebase auth REST API with my public API token. I understand that there are rate limits in place however I am looking to eliminate this possibility entirely.

I have added my domain as a restriction for the firebase key via the Credentials tab in APIs & Services. When I try to make requests to this domain without a referer header it fails as expected.

However, when I set the referer header with the authorized domain it works. If a malicious user adds my public domain as referer header in that request they can create an account.

I have looked into AppCheck however I'm not sure if there is any benefit in regards to restricting access to the firebase auth REST API. Any insight or help is greatly appreciated!

Related posts:

Firebase AppCheck for Firebase Auth

Prevent Firebase User creation by 3rd party

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
Tyler
  • 418
  • 5
  • 18

1 Answers1

2

You can now disable sign-ups by upgrading to Identity Platform.

enter image description here

Do note that Identity Platform has a different pricing with only free 3000 MAU. Also see: How does new Firebase Authentication billing work?

Alternatively, if you do not want to upgrade to Identity Platform, you can restrict the API to services that can be access from client side only. If Firebase Authentication API is not included, the client SDK will not work but that also means you'll have to manage auth state yourself.
That should not be an issue if you have a server side application that uses session cookies as they are verified by Admin SDK.

enter image description here

Checkout Prevent front-end generated email sign-in links when generating and sending these via backend for more information.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84