具有Firebase电子邮件/密码身份验证的CSRF保护 [英] CSRF Protection with Firebase Email/Password Authentication

问题描述

我正在努力将Node.js应用程序部署到生产环境中.我们一直在遇到一些CSRF问题，但是在深入研究该问题并了解了更多有关CSRF攻击的信息之后，我想知道我们是否还需要执行这些检查.

I am working on deploying my Node.js app into production. We had been running into some CSRF issues but after looking deeper into the problem and learning more about CSRF attacks, I'm wondering if we even need to perform these checks.

我们的CSRF检查中将我们的API列入了白名单，因此依赖该API的移动应用程序可以正常运行(我们正在努力保护其安全).在Web前端上，我们允许用户注册/登录并创建/编辑他们的数据.我们使用Firebase的电子邮件/密码身份验证系统执行身份验证( https://firebase.google.com/docs/auth/web/password-auth ).据我了解，这意味着我们不必担心CSRF在注册和登录时受到攻击，因为Firebase会处理这些攻击.我的问题是:如果我们确保我们的用户在应用中的每个Post路由上都通过Firebase进行了身份验证，是否就意味着我们不必担心CSRF攻击?

Our API is whitelisted from our CSRF checks so our mobile apps that rely on the API can run properly (we're working on securing that currently). On the web frontend, we allow our users to register/log in and create/edit their data. We use Firebase's email/password authentication system to perform authentication (https://firebase.google.com/docs/auth/web/password-auth). As I understand it, this means we don't have to worry about CSRF attacks on registering and logging in because Firebase handles that. My question is: if we make sure our users are authenticated with Firebase on each Post route in our app, does that mean we don't have to worry about CSRF attacks?

推荐答案

在保存会话cookie时，CSRF成为问题.Firebase身份验证当前在网络存储(localStorage/indexedDB)中保留身份验证状态，并且不会随请求一起传输.您应该运行客户端代码来获取Firebase ID令牌，并将其通过标头或POST正文等传递给请求.在后端，您将在提供受限内容或处理经过身份验证的请求之前验证ID令牌.这就是为什么在当前形式下，CSRF不会成为问题，因为需要Javascript才能从本地存储中获取ID令牌，并且本地存储是单个主机来源，因此无法从其他来源访问它.

CSRF becomes an issue when you are saving a session cookie. Firebase Auth currently persists the Auth State in web storage (localStorage/indexedDB) and are not transmitted along the requests. You are expected to run client side code to get the Firebase ID token and pass it along the request via header, or POST body, etc. On your backend, you would verify the ID token before serving restricted content or processing authenticated requests. This is why in its current form, CSRF is not a problem since Javascript is needed to get the ID token from local storage and local storage is single host origin making it not accessible from different origins.

如果您打算在Firebase身份验证后将ID令牌保存在cookie中或设置自己的会话cookie，则应研究如何防御CSRF攻击.

If you plan to save the ID token in a cookie or set your own session cookie after Firebase Authentication, you should then look into guarding against CSRF attacks.

这篇关于具有Firebase电子邮件/密码身份验证的CSRF保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！