Firebase电子邮件验证示例是否安全？ [英] Is Firebase E-mail Auth example secure?

问题描述

我正在尝试Firebase的JS SDK，自然，我拿起了提供的示例并开始潜入。

示例代码用于在Firebase上托管的电子邮件登录。

令我感到惊讶的是，所有的密码合规性都是由客户端提供的：

 。 .. 
函数toggleSignIn（）{
 if（firebase.auth（）。currentUser）{
 // [START signout] 
 firebase.auth（）。signOut（）; 
 // [END signout] 
} else {
 var email = document.getElementById（'email'）。value; 
 var password = document.getElementById（'password'）。value; 
 if（email.length< 4）{
 alert（'请输入电子邮件地址。 
 return; 
 
 if（password.length< 4）{
 alert（'请输入密码'）; 
 return; 
 
 
 $ / code> $ / pre> 
 
 
什么mecanism防止某人打开代码控制台，删除检查，并注册在一个空字符串作为电子邮件/密码？
 
 
搜索firebase安全只告诉我，一切都在HTTPS，并那服务器端的规则是可定制的，以防止任何人没有登录编辑数据库，但这又怎么样？   

您链接到的代码来自 Firebase电子邮件+密码身份验证提供程序。我建议阅读文档页面，而不是仅仅隔离示例代码。

当我尝试使用简短密码创建用户（ 123 ），Firebase身份验证服务器会回应：

{code： auth /弱密码，消息：密码必须是6个字符或更多。}

正如你所看到的，服务器也验证密码的强度。

执行客户端和服务器端验证是相当常见的。

• 验证必须在服务器上执行，以确保它们不会被黑客攻击。


• 通过验证客户端的值，您可以确保更好的用户体验。在这个例子中：如果用户输入一个无效的电子邮件地址，可以防止服务器往返。

I am trying the JS SDK of Firebase, naturally, I picked up the provided example and started to dive in.

The example code is for e-mail sign in, hosting on Firebase.

What surprise me is that all password-compliance is made client-side:

...
    function toggleSignIn() {
      if (firebase.auth().currentUser) {
        // [START signout]
        firebase.auth().signOut();
        // [END signout]
      } else {
        var email = document.getElementById('email').value;
        var password = document.getElementById('password').value;
        if (email.length < 4) {
          alert('Please enter an email address.');
          return;
        }
        if (password.length < 4) {
          alert('Please enter a password.');
          return;
        }
...

What mecanism prevent someone from opening the code in the console, removing the check, and registering under a empty string as e-mail/password?

Searching for firebase security only tell me that everything is made in HTTPS, and that server-side rules are customizable to prevent anyone not signed in from editing the DB, but what about this?

解决方案

The sample code you link to is from the documentation of the Firebase email+password authentication provider. I recommend reading the documentation page too, instead of just the sample code in isolation.

When I try to create a user with a short password (123), the Firebase Authentication server responds with:

{code: "auth/weak-password", message: "The password must be 6 characters long or more."}

As you can see, the server validates the strength of the password too.

It is quite common to perform validations both client and server side.

• Validations must be performed on the server to ensure that they can't be hacked around, as you said.
• By also validating the values client-side, you can ensure a better user experience. In this example: you can prevent the need for a round-trip to the server in case the user enters an invalid email address.

这篇关于Firebase电子邮件验证示例是否安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！