Reputation: 9894
Is Firebase Auth's local (persisted auth state) secure and safe from XSS and CSRF for browsers?
I am using Firebase Auth for a web app that involves financial transactions. Thus, security is the most important thing for my app. According to this doc, Firebase can persist its token across multiple sessions by storing it somewhere. It does not mention how safe it is from XSS. Of course, I can just assume it's safe because it's Google, but I want to know more about it.
We've all read articles noting how localStorage is unsafe for storing auth, and cookie + csrf token + jwt + httpOnly is more secure way to handle auth for browsers.
How does Firebase store its token? Does it use localStorage or cookie, or combination of both?
Upvotes: 8
Views: 3622
Answers (1)
Reputation: 1035
Firestore save the token in an Indexed DB (https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API). The DB is named "firebaseLocalStorageDb", the object store is named "firebaseLocalStorage", and the key firebase:authUser:[id].
For further code review, check out https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/src/authuser.js .
Upvotes: 7
Related Questions
- Firebase: How to persist auth state?
- Is it safe to store firebase user credential token on local or session storage?
- Firebase Auth Token Persistence Security Risks
- Storing Firebase Auth UID in Cookie while using Firestore - Is this secure?
- How secure is firebase with auth?
- Firebase and ReactJS - Authentication Using Local Storage
- Firebase Custom Authentication: Security of Firebase Secret in JavaScript
- Firebase authentication exposes firebaseAuthToken, is it secure?
- Firebase JS Secure Authentication
- persistent authentication states Firebase