Firebase身份验证公开firebaseAuthToken,它是否安全?
[英]Firebase authentication exposes firebaseAuthToken, is it secure?
问题描述
I'm trying to provide Google Login for my Firebase application. 
我正在尝试为我的Firebase应用程序提供Google登录。 Following https://www.firebase.com/docs/security/simple-login-overview.html 关注https://www.firebase.com/docs/security/simple-login-overview.html
It appears that after a successful login, a user can be obtained, hence it could be for example stored in the Angular scope - eg $scope.loggedInUser. 似乎在成功登录之后,可以获得用户,因此它可以例如存储在Angular范围中 - 例如$ scope.loggedInUser。 (Depending on your implementation, it doesn't have to be Angular) (根据您的实现,它不必是Angular)
My question is, is it a security risk that the user returned by Firebase with lots of authentication tokens can be exposed? 我的问题是,Firebase返回的具有大量身份验证令牌的用户是否存在安全风险? The code is in Javascript, somehow hackers should be able to hijack and steal the user by embedding some code in a browser. 代码是用Javascript编写的,不知何故,黑客应该可以通过在浏览器中嵌入一些代码来劫持和窃取用户。
The bits that raise my concern are: accessToken, firebaseAuthToken 引起我关注的是:accessToken,firebaseAuthToken
If it is a risk, how can we secure it? 如果存在风险,我们如何确保风险?
Please refer to the code below for authentication and user data: 有关身份验证和用户数据,请参阅以下代码:
Here's the code for authentication: 这是验证的代码:
authModule.controller( 'AuthController', [
'$scope',
'$firebase',
function ( $scope, $firebase ) {
var ref = new Firebase( 'https://test123.firebaseio.com' );
var auth = new FirebaseSimpleLogin( ref, function ( error, user ) {
if ( user ) {
$scope.loggedInUser = user; // user has authenticated, this user contains security information
}
} );
$scope.login = function () {
auth.login( "google", {
scope: 'https://www.googleapis.com/auth/plus.login'
} );
};
}] );
What's contained in loggedInUser (this is just example data): loggedInUser中包含的内容(这只是示例数据):
loggedInUser: {
id: 7058267704789236427849
uid: google:7058267704789236427849
displayName: Joe Bloggs
provider: google
thirdPartyUserData: {
id: 709139364278942374
email: test@gmail.com
verified_email: true
name: Joe Bloggs
given_name: Joe
family_name: Bloggs
link: https://plus.google.com/2672340913423423
picture: https://lh3.googleusercontent.com/.../photo.jpg
gender: male
locale: en-GB
}
accessToken: W8k8dD6vvLEdlWa-dxkJD8lvWIwzea6m_86um8...
email: test@gmail.com
firebaseAuthToken: Q3Mjc4MzYsInYiOjAsImQiOnsiaWQiOiIxMDk0...
}
2 个解决方案
解决方案1
4 已采纳 2014-07-08 15:49:54
This is fundamentally a question about OAuth and how it operates. 这基本上是关于OAuth及其运作方式的问题。 The generation of an encrypted token is fundamental to this process. 生成加密令牌是此过程的基础。 There are plenty of opinions on whether and where it is okay to store this token (cookies, local storage, memory, etc). 关于是否以及在何处存储此令牌(cookie,本地存储,内存等),有很多意见。
Is a token secure? 令牌安全吗? When utilized over an SSL session, OAuth is quite secure. 通过SSL会话使用时,OAuth非常安全。 Firebase utilizes the same OAuth practices and encryptions that the other big names, all of whom provide OAuth tokens in a similar manner (in fact, in Simple Login, you can obtain your Facebook auth token, for instance, as part of the login payload, exactly as it's given to us via Facebook's API). Firebase使用与其他大名称相同的OAuth做法和加密,所有人都以类似的方式提供OAuth令牌(事实上,在简单登录中,您可以获取您的Facebook身份验证令牌,例如,作为登录有效负载的一部分,正如它通过Facebook的API给我们的)。
That's not to say that OAuth is without its warts. 这并不是说OAuth没有瑕疵。 There is no perfect answer in security since everything is a trade-off. 安全性没有完美的答案,因为一切都是权衡。 The only completely secure system is the one that doesn't exist physically, isn't connected to any network, and can't be accessed by human beings. 唯一完全安全的系统是物理上不存在的系统,没有连接到任何网络,并且不能被人类访问。
Regarding XSS, etc: In essence, once the trolls are in the castle, the china is going to get broken. 关于XSS等:从本质上讲,一旦巨魔进入城堡,中国就会被打破。 If the client is compromised, then nothing is secure. 如果客户端遭到入侵,那么没有什么是安全的。 If a user manages to somehow compromise your client's browser or execute a successful XSS, then they can gain access to your account by a number of ways, regardless of whether we're talking OAuth tokens or plain login/password fields. 如果用户设法以某种方式危害您客户的浏览器或执行成功的XSS,那么无论我们是在谈论OAuth令牌还是普通登录/密码字段,他们都可以通过多种方式访问您的帐户。
In summary, if you trust Google, Facebook, Twitter, Yahoo, and M$ authentication to be relatively secure, then you can have the same faith in the Firebase authentication schema. 总之,如果您相信Google,Facebook,Twitter,Yahoo和M $身份验证相对安全,那么您可以对Firebase身份验证架构抱有同样的信心。
解决方案2
2 2014-07-10 10:25:39
To provide more answers to my own question so that it can be beneficial for other people who come across the same question, I tried to log in, log out, log in again. 为了给我自己的问题提供更多答案,以便对遇到同一问题的其他人有益,我尝试登录,注销,再次登录。 Each time I get different tokens (for both: accessToken, firebaseAuthToken). 每次我得到不同的令牌(两者都有:accessToken,firebaseAuthToken)。 So these tokens act like sessionId and would expire when logging out. 所以这些令牌就像sessionId一样,并且在注销时会过期。
Found an answer from Andrew Lee from Firebase. 从Firebase找到Andrew Lee的回答。 He explains that the tokens are time-bound and can be kept in browser localStorage (and this is how we suppose to maintain an active session). 他解释说,令牌是有时间限制的,可以保存在浏览器localStorage中(这就是我们假设维护活动会话的方式)。
Please refer to: https://stackoverflow.com/a/14094165/2810746 请参阅: https : //stackoverflow.com/a/14094165/2810746
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.