How does the firebase authentication and realtime application database secure itself?

只谈情不闲聊 提交于 2021-02-08 05:46:17

问题


I'm curious about this from a general development perspective of how to secure access to online resources. We initialize our webapp with the following firebase configuration parameters:

  • apikey
  • authdomain
  • projectid
  • databaseurl
  • messagesenderid

How does the server use these to ensure that the requests are valid? Mainly why can't someone else just fish these parameters out of the application and then create another "Evil" application that uses the same parameters for "Evil".

"Evil" would include creating a different app with the same credentials fished up of the real app, signing up users against the same credentials contained in the real app using the plain email / password signup form, and then once the users are signed in doing even more "Evil".

Also simple node express js application and we wanted to secure access to it using the above parameters how would that work from an application request lifecycle perspective?

1) Express receives request

2) Express checks that ...

Lastly is any of this part of how openid-connect works? In other words is it following the openid-connect spec at all or is a custom based security solution built specifically for firebase?


回答1:


These configuration parameters do nothing more than identify your Firebase project on the various servers. They are not in any way meant as an authentication/authorization mechanism.

See my answers here:

  • my answer to Is it safe to expose Firebase apiKey to the public?

  • and to How to restrict Firebase data modification?

  • and Kato's excellent answer to How to prevent other access to my firebase

You'll note that most of these point to Firebase Authentication for authenticating users, and then server-side security rules for authorizing their access. With both of these in place, it doesn't really matter anymore what code performs the access. If the user is authenticated against the same back-end, and the data access adheres to your server-side security rules, it means it follows the rules you set, no matter whose code it is.



来源:https://stackoverflow.com/questions/49701419/how-does-the-firebase-authentication-and-realtime-application-database-secure-it

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!