Home > Blockchain >  Firebase authentication - many users logged with the same credentials
Firebase authentication - many users logged with the same credentials

Time:11-12

In my job we needed to implement authentication because of security and we wanted the db not to be completely open. We have implemented anonymous authentication because the app is not based on a user profile. It works well, but it is creating too many users (every time the app is uninstalled or cache is cleared a new user is created). Although there isn't any limit for anonymous users, it is not good to have so many UIDs in the project.

Now I was thinking of creating one user in the console (email/password authentication), and all devices authenticate using such email and password.

Would there be a problem with that? Would Firebase limit the amount of sessions with a same user?

My app has about 20 000 active users. Is it a problem with 20 000 sessions at the same time and also with so many requests to Firebase products with the same user? It's important to be completely sure if a limit problem will not occur before I make that migration from anonymous to email/password (unique user).

CodePudding user response:

Authentication is not attestation.

If you are using Anonymous Authentication and still serving data and only restricting the access of that data to whether a UID is present in the request, then anyone can still generate an anonymous user and access your database through a series of rest calls since generating an anonymous user has no barrier to it.

It sounds like what you really want to do is implement AppCheck. AppCheck will ensure that your users are only accessing your application and database through approved applications and not accessing it through REST calls or other service calls. What you could do is enable AppCheck on your project and then enable enforcement when all your users have migrated to the latest edition of your app. Your DB is still able to be accessed, but only if it has a valid AppCheck token which can only be provided through an attestation provider like SafetyNet or reCaptcha.

CodePudding user response:

Firebase allows 50k monthly active users at the free tier but gets expensive very quickly after that. If you have Firebase Authentication with Identity Platform setup, you can enable automatic clean-up so stale accounts are removed if not used.

You could deploy a blocking function with Cloud Functions that triggers a beforeCreate event. First, you could log IP addresses when a new user is created, then could run a check to see if that IP is already in use with beforeCreate. Obviously, there are many reasons why that could fail but it would at least reduce the number of duplicates.

The best thing would be to force a real sign-in method after a user is anonymous for some period of time. You can easily link an existing anonymous account to a social provider or other method to reduce friction for the UX.

  • Related