Home > other >  Is auth.token.email in Firebase callable function safe?
Is auth.token.email in Firebase callable function safe?

Time:06-08

My Firebase project only uses Google Auth. I want to make some admin only callable functions. To do this, I check if context.auth.token.email is in the admin list.

I'm not sure this is safe or not. Is it possible for an attacker to call the function with a fake context.auth which has an email address of another Google Account?

CodePudding user response:

The Cloud Functions runtime verifies that ID token that it receives in the Bearer header, before it sets it in context.auth. So while a malicious user can pass any value they like, it won't be a valid ID token for your project and thus be rejected in this verification.

The token in context.auth is passed from the client, is actually minted by the server (or by another piece of code that has access to the administrative credentials of your project).

CodePudding user response:

I check if context.auth.token.email is in the admin list.

As long as the list can be edited by you (or any authorized person only), it's fine.

Is it possible for an attacker to call the function with a fake context.auth which has an email address of another Google Account?

No, unless they have access to that Google Account itself and login to your application with it.

  • Related