Session authorization stills works after user is removed from system

[Marty Nelson]

I discovered while wiping out dev environment that if the browser has a localStorage session object, it still allows access to the system even though the user has been deleted via the console.

I was able to both read and write against security rules of the is authed user variety:

    "users": {
      "$userKey": {
        ".read": "auth.uid === $userKey",
        ".write": "auth.uid === $userKey",
    ...

Shouldn't the token be invalid if the registered user is removed?

[Jacob Wenger]

Hey Marty,

Thanks for reporting this. This is a known bug on our end. As you noted, after deleting a user, existing auth tokens are still valid and can be used to read and write to your Firebase database. Security Rules are still enforced on these tokens and that user will still only be able to access their own Firebase data (if your rules are set up as such). Those auth tokens will be valid until they expire. There is currently no workaround for this bug although we are going to be fixing this in a future release.

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/6ed6f268-a16d-47a0-97aa-eaea216f1cfd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Marty Nelson]

Thanks for the response Jacob. 

One follow up questions/request is that as we are testing firebase and using different dev, test, stage environments - you can end up with sessions tokens that load up but just malfunction against the end point. Not a concern I have for live app users, but it would be good if auth didn't work or could have a property if the endpoint url didn't match or otherwise someway to ask firebase to validate session token against url (though it seems that should happen automatically).

[Jacob Wenger]

Hey Marty,

I'm sorry, but I don't know what you are referring to here:

"you can end up with sessions tokens that load up but just malfunction against the end point"

What does this mean? What endpoint are you talking about exactly?

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/1713b76a-669f-4f60-a888-fabd81a22a38%40googlegroups.com.

[Marty Nelson]

Sure, let me clarify -

I open up browser tab and log into dev instance of firebase (my-dev.firebaseio.com).

Then I open up a browser tab against test instance of firebase (a different url endpoint, my-test.firebaseio.com) firebase picks up the session from dev and fires the fbRef.onAuth method! This token clearly doesn't work against my-test.firebaseio.com but there's no way to know that it didn't really authenticate - it just starts failing on getting data.

Seems like an extension of the aforementioned bug, but wanted to point out that it's seems like there's a broader issue of not really authenticating against the url endpoint - firebase just reconstitutes the session token and assumes it's validity.

[Jacob Wenger]

Hey Marty,

I'm not able to reproduce this issue. Each Firebase instance should have its own authentication state. What version of the Firebase JavaScript library are you using? Try upgrading to the latest and see if you still have the issue.

Also, we will fire the onAuth() method even if the user is not authenticated, but the first parameter will be null. See here for an example. Can you verify that authData is in fact not null? Can you also verify that the two authDatas you get are the same? They definitely shouldn't be if you are connecting to different Firebase instances.

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/888b22e8-6f3e-4d7c-bcc4-5f8cd6f07127%40googlegroups.com.

[Marty Nelson]

I might be mistaken and maybe it's just old session from same url. I'll check it on Monday. 

Thx

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/Yr_wn02q0bk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAGcMwsC9LvGp%2B9mEVgOSMpLXZS%2BpaXF1h_TLeVwmotS7NzDw1A%40mail.gmail.com.