Menu
I'm trying to provide Google Login for my Firebase application. Following https://www.firebase.com/docs/security/simple-login-overview.html
It appears that after a successful login, a user can be obtained, hence it could be for example stored in the Angular scope - e.g. $scope.loggedInUser. (Depending on your implementation, it doesn't have to be Angular)
My question is, is it a security risk that the user returned by Firebase with lots of authentication tokens can be exposed? The code is in Javascript, somehow hackers should be able to hijack and steal the user by embedding some code in a browser.
The bits that raise my concern are: accessToken, firebaseAuthToken
If it is a risk, how can we secure it?
Please refer to the code below for authentication and user data:
Here's the code for authentication:
authModule.controller( 'AuthController', [
'$scope',
'$firebase',
function ( $scope, $firebase ) {
var ref = new Firebase( 'https://test123.firebaseio.com' );
var auth = new FirebaseSimpleLogin( ref, function ( error, user ) {
if ( user ) {
$scope.loggedInUser = user; // user has authenticated, this user contains security information
}
} );
$scope.login = function () {
auth.login( "google", {
scope: 'https://www.googleapis.com/auth/plus.login'
} );
};
}] );
What's contained in loggedInUser (this is just example data):
loggedInUser: {
id: 7058267704789236427849
uid: google:7058267704789236427849
displayName: Joe Bloggs
provider: google
thirdPartyUserData: {
id: 709139364278942374
email: [email protected]
verified_email: true
name: Joe Bloggs
given_name: Joe
family_name: Bloggs
link: https://plus.google.com/2672340913423423
picture: https://lh3.googleusercontent.com/.../photo.jpg
gender: male
locale: en-GB
}
accessToken: W8k8dD6vvLEdlWa-dxkJD8lvWIwzea6m_86um8...
email: [email protected]
firebaseAuthToken: Q3Mjc4MzYsInYiOjAsImQiOnsiaWQiOiIxMDk0...
}
347
This is fundamentally a question about OAuth and how it operates. The generation of an encrypted token is fundamental to this process. There are plenty of opinions on whether and where it is okay to store this token (cookies, local storage, memory, etc).
Is a token secure? When utilized over an SSL session, OAuth is quite secure. Firebase utilizes the same OAuth practices and encryptions that the other big names, all of whom provide OAuth tokens in a similar manner (in fact, in Simple Login, you can obtain your Facebook auth token, for instance, as part of the login payload, exactly as it's given to us via Facebook's API).
That's not to say that OAuth is without its warts. There is no perfect answer in security since everything is a trade-off. The only completely secure system is the one that doesn't exist physically, isn't connected to any network, and can't be accessed by human beings.
Regarding XSS, etc: In essence, once the trolls are in the castle, the china is going to get broken. If the client is compromised, then nothing is secure. If a user manages to somehow compromise your client's browser or execute a successful XSS, then they can gain access to your account by a number of ways, regardless of whether we're talking OAuth tokens or plain login/password fields.
In summary, if you trust Google, Facebook, Twitter, Yahoo, and M$ authentication to be relatively secure, then you can have the same faith in the Firebase authentication schema.
144
To provide more answers to my own question so that it can be beneficial for other people who come across the same question, I tried to log in, log out, log in again. Each time I get different tokens (for both: accessToken, firebaseAuthToken). So these tokens act like sessionId and would expire when logging out.
Found an answer from Andrew Lee from Firebase. He explains that the tokens are time-bound and can be kept in browser localStorage (and this is how we suppose to maintain an active session).
Please refer to: https://stackoverflow.com/a/14094165/2810746
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
