英文:
Why can anyone with a valid idToken run arbitrary REST API calls on Firebase?
问题
你如何防止任何获取了idToken的人针对您的Firebase项目运行任意命令?
假设我有一个通过JS接口使用Firebase服务的网站:这里使用的功能可能是身份验证和Firestore。
虽然这是一个明显滥用的边缘情况,但您网站应用的任何用户在检索到idToken(经过身份验证后)后都可以对您的服务运行REST命令,包括更新他们自己的电子邮件,而您无需了解Firebase方面的更改。他们只需要获取idToken和web api key,这不是私有概念。
据我了解,有方法可以限制您的API的配额,但我还没有找到关闭特定端点的方法。您如何阻止用户玩弄他们自己的数据 - 或者我有什么误解吗?
英文:
How can you prevent anyone who got hold of an idToken from running arbitrary commands against your Firebase project?
Let's say I have a website using Firebase services through the JS interface: functions used here might be authentication and Firestore.
While this is an edge-case of clear abuse, any user of your web application who retrieves the idToken (after authentication) can run REST commands against your services, including updating their own email without you knowing about that Firebase-side change. All they need is to grab the idToken and the web api key, which is not a private concept.
As I understand, there are ways to limit the quotas of your APIs, but I haven't found a way to turn off specific endpoints. How do you stop users from playing with their own data - or am I misunderstanding anything here?
答案1
得分: 1
如果有人拥有用户的idToken,这意味着他要么是该用户并已登录,要么是从已登录的用户那里收到了idToken。这对于任何身份验证系统都是如此,我们无法阻止用户共享idToken,或者更容易地与其他人共享他/她的凭据。
是的,使用idToken和项目API密钥,用户可以通过调用updateEmail()方法或通过发出HTTP POST请求到由Firebase身份验证REST API公开的setAccountInfo端点来更新他的电子邮件。据我所知,在使用默认的Firebase电子邮件/密码身份验证提供程序时,没有任何方法可以阻止这样做。这是Firebase做出的选择,某种程度上考虑到用户是他个人信息的完全所有者。
但请注意,当用户调用此方法时:
- 会向原始电子邮件地址(如果已设置)发送一封电子邮件,允许撤销电子邮件地址更改,以防止账户被劫持。
- 调用此方法是“需要用户最近登录的安全敏感操作”。
另一种解决方案是以一种方式将Firebase身份验证与自定义身份验证系统集成,以便您完全控制更改用户帐户详细信息的可能性。
英文:
If someone has a user's idToken it means that either he is the user and he has signed-in or he has received the idToken from a signed-in user. This is the case for any authentication system and we cannot prevent a user sharing the idToken, or much easier, sharing his/her credentials with someone else.
And yes, with the idToken and the Project API key a user can update his email by calling the updateEmail() method or by issuing an HTTP POST request to the setAccountInfo endpoint exposed by the Firebase Auth REST API. AFAIK there isn't any way to prevent that when using the default Firebase email/password authentication provider. This is a choice made by Firebase which, somehow, considers that the user is the full owner of his personal info.
Note however that when a user calls this method:
- An email "will be sent to the original email address (if it was set) that allows to revoke the email address change, in order to protect them from account hijacking".
- Calling this method is "a security sensitive operation that requires the user to have recently signed in".
An alternative solution is to integrate Firebase Authentication with a custom authentication system in such a way you fully control the possibilities to change the user account details.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论