Reputation: 13
Firebase email / password createUser security
I'm using Firebase 2.x. If I enable email/password security, how do I prevent a malicious pre-existing user from writing their own javascript code that would do authenticate with my Firebase and then launch a createUser attack? Hypothetically, it might look like this:
var ref = new Firebase(my_fire_base);
ref.authWithPassword({ email : '[email protected]', password: 'validpassword' },
function(error, authData) {
if (!error) {
ref.createUser( ... ); // do this a bunch of times
}
});
Upvotes: 1
Views: 280
Answers (1)
Reputation: 598728
Since this question was cross-posted to Google Groups, I'll quote the answer that was given there:
You do not need to be authenticated to call createUser(). This is by design and how all registration systems work. It is possible for a malicious client to call createUser() a gazillion times, but this is where we build rate limiting into the service we provide and prevent people from doing this. You cannot restrict by specific origins, and even if you could, as you mentioned, this can be easily spoofed.
Upvotes: 1
Related Questions
- Firebase Auth - createUserWithEmailAndPassword() - prevent login until email is verified
- Firebase create user with email and password and put data in database
- Javascript and Firebase 3 - Create user with Email and password
- Creating new user account and sending email for creating password - Firebase
- Firebase Authentication using email/password
- Creating new user firebase
- firebase direct auth with email and password
- Firebase SDK (Web) create a password-based account
- Firebase Security issue in creating user accounts using javascript
- Creating/Adding user on Firebase