Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is the Firebase Auth Secure?
6 points by WolfOliver on Oct 31, 2022 | hide | past | favorite | 1 comment
According to the documentation, I can obtain the firebase "API" token via the following javascript (see [01]):

FirebaseAuth.instance.currentUser().getIdToken();

It seems like the id token is used as access token/api key?

As there are so many discussions that storing tokens in a palace reachable by JS is very insecure [02]. I'm wondering what I'm missing here.

Also, I do not really understand why is it considered to be so much more insecure? As soon as malicious code has access to the JS, he can as well make the fetch requests from the users browsers, sending along all the required cookies.

So, is it still valid not to use local storage for tokens?

[01] https://firebase.google.com/docs/reference/js/v8/firebase.User#getidtoken

[02] http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/




From a security point of view, the benefits of cookies are that your script cannot read the value of the cookie. Sure, malicious code could make requests through the browser, but they won't be able to retrieve the access token which would be a bigger compromise.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: