Menu
While sniffing the Firebase traffic, I have seen that a code is passed to the auth server so that it always returns a 200 status code. This shows that there is some level of optional security at some level in the authentication protocol.
Is there a way to cause Firebase authentication to fail with an identical error message when the user enters a non-existent email address as when they enter the wrong password?
The INVALID_USER status code gives me concern about the potential for a user enumeration attack, in a case where my application has become compromised via script injection.
Information on how to more securely lock down the Firebase auth protocol, and/or some sort of statement about smart rate limiting (somehow distributed attack immune?) being applied would probably go a long way to assuring me that Firebase's built-in email and password auth is indeed secure (assuming Firebase rules are set up correctly, certs aren't compromised on the client, etc).
655
Security informationFirebase services encrypt data in transit using HTTPS and logically isolate customer data. In addition, several Firebase services also encrypt their data at rest: Cloud Firestore. Cloud Functions for Firebase.
You can use Firebase Authentication to allow users to sign in to your app using one or more sign-in methods, including email address and password sign-in, and federated identity providers such as Google Sign-in and Facebook Login.
Firebase Security Rules work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths. All Rules across Firebase products have a path-matching component and a conditional statement allowing read or write access.
Auth0, MongoDB, Passport, Okta, and Firebase are the most popular alternatives and competitors to Firebase Authentication.
(Firebase employee) For now, the answer is no: you can't control the status codes reported to the client.
The good news is that an enumeration attack would be fairly difficult, as we throttle requests by origin to mitigate any brute force approaches.
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
