Firebase & Backbone: Application Authentication

Question

Currently I'm building an application using firebase and backbone.marionette and I'm trying to implement secure sessions. Previously, I was able to simply bypass the login page by typing in a specific route in the URL bar, but to fix this I added an initializer to the app to check if a user is logged in or not, like so:

    @addInitializer((options) =>
        # Instantiate firebase
        @firebase = new Firebase("https://*******.firebaseIO.com/")

        @authClient = new FirebaseAuthClient @firebase, 
            (error, user) =>
                if (error)
                    console.log(error)
                else if (user)
                    console.log('User ID: ' + user.id + ', Provider: ' + user.provider)
                    @logged = true
                    @trigger('logged_in')
                    @router.navigate('home', {trigger: true})
                else
                    @logged = false
                    @trigger('logged_out')
                    @router.navigate('login', {trigger: true})

     ) 

And now before I render a page in routes.coffee I check if @logged is true or not.

But I feel like this is sketchy security at best. Couldn't someone just fire up the console and set the flag to true themselves?

Does anyone know the proper way to do sessions with backbone and firebase?

Answer 1

There's fundamentally no way to guarantee security on the client side. A smart hacker can always get around any restrictions you place on the GUI (such as setting @logged to true).

Instead, you need to set up security rules on the Firebase side so that non-authenticated users can't change data they're not supposed. This way, even if a hacker messes with your GUI they can't actually access or change anything they're not supposed to.

There's an overview of Firebase auth and security rules here: https://www.firebase.com/docs/security-quickstart.html