Unrecognized account created in fireauth

94 views
Skip to first unread message

Mingrui Han

unread,
Sep 25, 2023, 1:20:03 AM9/25/23
to Firebase Google Group
If others have my firebase API key, they can create users by calling fireauth rest endpoint.

later by having a valid user account, they can poke my data in the firestore.

Is there a way to ensure fireauth only allows my front end client to create account and deny others?

same for other firebase services, can they only allow my front to send requests?

Arthur Thompson

unread,
Sep 27, 2023, 6:17:42 PM9/27/23
to fireba...@googlegroups.com
Hi Mingrui,

I think App Check is what you are looking for!

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/175b1a5e-e3d7-409f-abf5-0d5517b8d135n%40googlegroups.com.

mhan...@gmail.com

unread,
Sep 28, 2023, 3:01:16 AM9/28/23
to fireba...@googlegroups.com
Thanks, I’m using app check. App check says it doesn’t protect 100% of the traffic. 

Also, hackers creating account on my fire auth without my consent is just weird. 

On Sep 27, 2023, at 6:17 PM, 'Arthur Thompson' via Firebase Google Group <fireba...@googlegroups.com> wrote:



Arthur Thompson

unread,
Oct 24, 2023, 5:54:23 PM10/24/23
to fireba...@googlegroups.com
Hi,

App Check helps protect your API resources from abuse by preventing unauthorized clients from accessing your backend resources.

You can even apply App Check to Auth if you upgrade tFirebase Authentication with Identity Platform. That way only verified (attested) clients can use Auth.

I hope this helps,
Arthur.

Reply all
Reply to author
Forward
0 new messages