Unrecognized account created in fireauth

[Mingrui Han]

If others have my firebase API key, they can create users by calling fireauth rest endpoint.

later by having a valid user account, they can poke my data in the firestore.

Is there a way to ensure fireauth only allows my front end client to create account and deny others?

same for other firebase services, can they only allow my front to send requests?

[Arthur Thompson]

Hi Mingrui,

I think App Check is what you are looking for!

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/175b1a5e-e3d7-409f-abf5-0d5517b8d135n%40googlegroups.com.

[mhan...@gmail.com]

Thanks, I’m using app check. App check says it doesn’t protect 100% of the traffic. 

Also, hackers creating account on my fire auth without my consent is just weird. 

On Sep 27, 2023, at 6:17 PM, 'Arthur Thompson' via Firebase Google Group <fireba...@googlegroups.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CANXaM1r3pno9Oa2cRqQ%2B%2BJ%2B1SoFEVk%3D3zYb0YLZhRdVSzCJ3BQ%40mail.gmail.com.

[Arthur Thompson]

Hi,

App Check helps protect your API resources from abuse by preventing unauthorized clients from accessing your backend resources.

You can even apply App Check to Auth if you upgrade to Firebase Authentication with Identity Platform. That way only verified (attested) clients can use Auth.

I hope this helps,

Arthur.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/8D750461-4E0A-42F0-835E-68F9FEDC779A%40gmail.com.