使用 Firebase 电子邮件/密码身份验证的 CSRF 保护 [英] CSRF Protection with Firebase Email/Password Authentication

问题描述

我正在将我的 Node.js 应用程序部署到生产环境中.我们遇到了一些 CSRF 问题，但在深入研究问题并了解有关 CSRF 攻击的更多信息后，我想知道我们是否甚至需要执行这些检查.

I am working on deploying my Node.js app into production. We had been running into some CSRF issues but after looking deeper into the problem and learning more about CSRF attacks, I'm wondering if we even need to perform these checks.

我们的 API 已从我们的 CSRF 检查中列入白名单，因此我们依赖该 API 的移动应用可以正常运行(我们目前正在努力确保其安全).在 Web 前端，我们允许用户注册/登录并创建/编辑他们的数据.我们使用 Firebase 的电子邮件/密码身份验证系统来执行身份验证 (https://firebase.google.com/docs/auth/web/password-auth).据我了解，这意味着我们不必担心注册和登录时的 CSRF 攻击，因为 Firebase 会处理这些.我的问题是:如果我们确保我们的用户在我们应用中的每个 Post 路由上都通过 Firebase 身份验证，是否意味着我们不必担心 CSRF 攻击?

Our API is whitelisted from our CSRF checks so our mobile apps that rely on the API can run properly (we're working on securing that currently). On the web frontend, we allow our users to register/log in and create/edit their data. We use Firebase's email/password authentication system to perform authentication (https://firebase.google.com/docs/auth/web/password-auth). As I understand it, this means we don't have to worry about CSRF attacks on registering and logging in because Firebase handles that. My question is: if we make sure our users are authenticated with Firebase on each Post route in our app, does that mean we don't have to worry about CSRF attacks?

推荐答案

CSRF 在您保存会话 cookie 时成为一个问题.Firebase 身份验证当前将身份验证状态保留在网络存储 (localStorage/indexedDB) 中，并且不会随请求一起传输.您需要运行客户端代码来获取 Firebase ID 令牌，并通过标头或 POST 正文等将其与请求一起传递.在后端，您将在提供受限内容或处理经过身份验证的请求之前验证 ID 令牌.这就是为什么在当前形式下，CSRF 不是问题，因为需要 Javascript 从本地存储获取 ID 令牌，而本地存储是单一主机来源，因此无法从不同来源访问.

CSRF becomes an issue when you are saving a session cookie. Firebase Auth currently persists the Auth State in web storage (localStorage/indexedDB) and are not transmitted along the requests. You are expected to run client side code to get the Firebase ID token and pass it along the request via header, or POST body, etc. On your backend, you would verify the ID token before serving restricted content or processing authenticated requests. This is why in its current form, CSRF is not a problem since Javascript is needed to get the ID token from local storage and local storage is single host origin making it not accessible from different origins.

如果您打算在 Firebase 身份验证后将 ID 令牌保存在 cookie 中或设置您自己的会话 cookie，那么您应该考虑防范 CSRF 攻击.

If you plan to save the ID token in a cookie or set your own session cookie after Firebase Authentication, you should then look into guarding against CSRF attacks.

这篇关于使用 Firebase 电子邮件/密码身份验证的 CSRF 保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！