Firebase AppCheck for Firebase Auth

Asked 22/11, 2021 at 11:39 Answered 9/8, 2023 at 19:59

Solved firebase firebase-authentication firebase-app-check

Firebase Auth provides a REST API to create/delete/edit auth users. As API Keys are not private, anybody can use the API.

The endpoint e.g. to create new users is publicly available and can't AFAIK not be disabled.

This is in my opinion a bad situation as e.g. an attacker could create via this endpoint lots of users which are no valid users for our system. An attacker could block valid email addresses of customers which are then not able to create their valid accounts.

If an attacker knows a userID he could even delete auth users.

We added user claims (which can only be set via the Admin API and not via the public API) to ensure only users created by us are allowed to access our systems but it would mean a lot of effort on our side to regularily delete users not created via our system.

Is it planned to protect FirebaseAuth also via AppCheck to allow only verified apps to access the auth api?

Antipyrine answered 22/11, 2021 at 11:39 Comment(1)

"If an attacker knows a userID he could even delete auth users." To delete a user account you either need to enter that user's credentials, or have administrative access to the project. Knowing their UID is not good enough. Also see: #37222260 – Volley 22/11, 2021 at 16:1

At this point, I would say it's unlikely as this type of abuse is considered a low risk in comparison to the APIs that app check is protecting.

The public-facing Firebase Auth APIs are rate-limited and the web APIs in particular must come from your permitted auth domains. However, one of the platform's key selling points is the ability to handle many concurrent users.

100 accounts/IP address/hour can be created

10 accounts/second can be deleted

Can handle 1000 requests/second, 10 million requests/day for public APIs across a project

The per-IP address limits are bypassed by using the Admin SDKs (subject to a 500 requests/second limit). You can also boost these limits temporarily from the Firebase Console if you are expecting a spike in demand (e.g. you offer a Black Friday sale).

Only the Firebase Auth API for creating users is "exposed", but limited as detailed above.

Editing, deleting, updating a user's details both metadata and the account itself are privileged actions - you must be appropriately authenticated to make changes. In the case of a user account connecting from a client device, you must have signed in within about 5 minutes to be able update/delete your own account. When using an Admin SDK, the requests are authenticated with a service account's credentials which authorizes it to make changes on behalf of users or the system.

If your system were to abused in such a fashion, reaching out to Firebase Support would be your point of call.

Jacklynjackman answered 22/11, 2021 at 12:20 Comment(4)

Great answer Sam! 👍 🙏 – Volley 22/11, 2021 at 16:1

Ok thanks for the detailed explanation. But my valid users still could delete their own auth accounts via the REST-Api. Is that correct? Seems unlikely but they could make their own account disfunctional. I still find it strange that the API is publicly available. – Antipyrine 23/11, 2021 at 12:21

@Antipyrine If a user wants to delete their own account, they should be permitted to delete their own account. If a user has to learn the REST API just to delete their account that's a very bad user experience - your app should have some UI in place to streamline that - even if it is just to send an email to you with a request to delete the account. Furthermore, Firebase is a serverless-first platform, if there isn't a backend server to interact with, a public API would be their only choice to create/update/delete their accounts. – Jacklynjackman 23/11, 2021 at 13:5

Yes I agree, people should be allowed to delete their account if they want. The problem is, that if they would delete the Auth account, other data, e.g. on firestore are not handled correctly. That's the reason why I would like to disallow deleting an auth user directly via the REST Api and allow deletion only via our app/api. – Antipyrine 24/11, 2021 at 8:10

2 years later, it is coming. I can't find any documentation on the setup but in the Firebase consloe AppCheck section it shows "Authentication (Beta)" under the Apis.

I am seeing all my traffic logged there as "Unverified requests"

Cyanosis answered 9/8, 2023 at 19:59 Comment(1)

nice find. I will check it out. – Antipyrine 21/8, 2023 at 9:48

Recommended topics

Hot tags