Is Firebase E-mail Auth example secure?

Question

I am trying the JS SDK of Firebase, naturally, I picked up the provided example and started to dive in.

The example code is for e-mail sign in, hosting on Firebase.

What surprise me is that all password-compliance is made client-side:

...
    function toggleSignIn() {
      if (firebase.auth().currentUser) {
        // [START signout]
        firebase.auth().signOut();
        // [END signout]
      } else {
        var email = document.getElementById('email').value;
        var password = document.getElementById('password').value;
        if (email.length < 4) {
          alert('Please enter an email address.');
          return;
        }
        if (password.length < 4) {
          alert('Please enter a password.');
          return;
        }
...

What mecanism prevent someone from opening the code in the console, removing the check, and registering under a empty string as e-mail/password?

Searching for firebase security only tell me that everything is made in HTTPS, and that server-side rules are customizable to prevent anyone not signed in from editing the DB, but what about this?

Answer 1

The sample code you link to is from the documentation of the Firebase email+password authentication provider. I recommend reading the documentation page too, instead of just the sample code in isolation.

When I try to create a user with a short password (123), the Firebase Authentication server responds with:

{code: "auth/weak-password", message: "The password must be 6 characters long or more."}

As you can see, the server validates the strength of the password too.

It is quite common to perform validations both client and server side.

• Validations must be performed on the server to ensure that they can't be hacked around, as you said.
• By also validating the values client-side, you can ensure a better user experience. In this example: you can prevent the need for a round-trip to the server in case the user enters an invalid email address.