HACKER Q&A
📣 WolfOliver

Is the Firebase Auth Secure?


According to the documentation, I can obtain the firebase "API" token via the following javascript (see [01]):

FirebaseAuth.instance.currentUser().getIdToken();

It seems like the id token is used as access token/api key?

As there are so many discussions that storing tokens in a palace reachable by JS is very insecure [02]. I'm wondering what I'm missing here.

Also, I do not really understand why is it considered to be so much more insecure? As soon as malicious code has access to the JS, he can as well make the fetch requests from the users browsers, sending along all the required cookies.

So, is it still valid not to use local storage for tokens?

[01] https://firebase.google.com/docs/reference/js/v8/firebase.User#getidtoken

[02] http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

  👤 potamic Accepted Answer ✓
From a security point of view, the benefits of cookies are that your script cannot read the value of the cookie. Sure, malicious code could make requests through the browser, but they won't be able to retrieve the access token which would be a bigger compromise.