[Firebase Core] Token generation security measures

Forge Component
(5)
Published on 2018-12-20 by Labs
5 votes
Published on 2018-12-20 by Labs

Hey,

So I looked at some examples on how to use the token generated by this extension through the use of the Database Secrets data provided in my Firebase project, namely the Project Id and Secret Key:

Everything works just fine but my concern is what is written in red. How risky is it to be using Database Secrets? Is it hard for us to use the recommended Firebase Admin SDK using this extension?  I read some of the documentation and it doesn't seem very straight forward.

Also, a side question, since I can't install Visual Studio on this computer to open up this extension, can you please tell me why we need to use the UserId to generate the token, in other words why is it used and does it have to be the user id?


Thanks in advance.

Hi Ricardo.

The only immediate risk is that this validation method will, eventually, be dropped by Google, being replaced by the Admin SDK.
Until then, there is no actual security risk by using this method.

This being said, to start using the Firebase Admin SDK, the component would have to be changed, in order to reflect the new authentication from Firebase.

Regarding the GenerateToken method implementation, the extension generates a token based on the 'UserID' and adds that entry to a dictionary to validate its previous existence.

I believe the UserId is being required to have a unique identifier, but being a Text parameter, you could control this unique mapping with an extension table and use a GUID Token instead.

{ExtensionTable}.[UserId],[GUID]  -> GenerateToken(GUID).


Hope this helps.

Cheers.

Hi Rui,

Thank you very much for the detailed answer, it helped a lot.

Out of mere curiosity, do you by any chance know there is a component/extension out there that already uses the Firebase Admin SDK (or being developed)?

I have yet another security related question which I was hoping you (or anyone else reading this) could answer.

For the notification system we worked on, we needed to change the read/write permissions to 'true' in order for it to function. Obviously this makes the database public and I believe it's not very safe (as seen in red):

My question is, is there a way we could make this more secure?


Thanks in advance.

Cheers,

Ricardo

Hi again.

I'm glad it helped.

As far as I know, the new SDK is not yet being implemented, so this is the only authentication mechanism available.


Regarding the rules, you can have a closer look at the documentation here.

But long story short, the recommended setup for the rules would be the following:

// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

Or, more simply

  {
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

The True & True rules are supposed to be used only against your development configuration, whereas the previous rules should be applied to your production environment setup.

Try them out ;)

Hope it helped.


Cheers.

Hi Rui,

Great information, however if I'm completely honest I'm a bit confused :/

So I tried the simpler way: 

Besides not working I get the warning message in orange (which makes sense) so out of curiosity I tried the the other setup you suggested:


This setup didn't display any warnings but didn't work and I think I might know the (obvious) reason why - How does firebase know which users or group of users are allowed to access the database?

I started fiddling around with the firebase console and found the Authentication page. How can I 'tell' Firebase who is authenticated and who is not?

As a test I tried manually adding a user here and using it's UID to generate the token and it didn't work:

Sorry about the 'silly' questions but this is all new to me.

Also another quick side question: in the console where can we set how long a token is valid for? As a test I used the same token two days in a row and it worked which could be dangerous if the wrong hands get a hold of it.

Thanks again.

Cheers,

Ricardo