firebase javascript injection

Question

I want ask something about firebase security. How to handle following situations?

1. User is creating account with createUserWithEmailAndPassword() function, then i save his username,email,created_at...to realtime db. But what if data are not saved correctly. His account is created and he is logged in automatically but data is not stored.

2. I have some registration logic... for example unique usernames... so before creating acc i check if this username exist in realtime db. But he still can call createUserWithEmailandPassword() from js console and account is created.

Answer 1

For situation one:

According to the firebase docs (https://www.firebase.com/docs/web/api/firebase/createuser.html), creating a user does not automatically authenticate them. An additional call to authWithPassword() is required first. In order to ensure that a user isn't authenticated without valid data, you could run a check to the server to make sure the data is saved correctly before authenticating.

Edit: Nevermind that; looks like firebase does auto-auth now - take a look at what I wrote below.

Now a concern with this approach would be if your app allowed people to authenticate with an OAuth provider like gmail, then there is no function for creating the user before authenticating them. What you may need to do is pull the user data from the firebase, determine if it's valid, and if its not valid show a popup or redirect that lets the user fix any invalid data.

For situation two:

If you wanted to make sure that in the case of them calling createUserWithEmailAndPassword() from the console a new user is not created, you could try something like this with promises;

var createUserWithEmailAndPassword = function(username, password) {
    var promise = isNewUserValid(username, password);
    promise.then(function() {
        // Code for creating new user goes here
    });
}

In this way, you never expose the actual code that makes a new user because it exists within an anonymous function.

I don't think that this could solve the problem entirely though because firebases API would let anyone create an account using something

var ref = new Firebase("https://<YOUR-FIREBASE-APP>.firebaseio.com");
ref.createUser({
  email: "bobtony@firebase.com",
  password: "correcthorsebatterystaple"
}

(Taken from https://www.firebase.com/docs/web/api/firebase/createuser.html)

If you wanted to make sure that server side you can't ever create a user with the same user name, you'd need to look into firebases's rules, specifically .validate

Using it, you could make sure that the username doesn't already exist in order to validate the operation of creating a username for an account.

Here's the firebase doc on rules: https://www.firebase.com/docs/security/quickstart.html

And this is another question on stack overflow that is quite similar to yours. Enforcing unique usernames with Firebase simplelogin Marein's answer is a good starting point for implementing the server side validation.

Answer 2

First save the user credentials in the realtime database before you create the user:

var rootRef = firebase.database().ref('child');

    var newUser = {
        [name]: username,
        [email]: useremail,
        [joined]: date
    };
    rootRef.update(newUser);

After adding the Usersinfo into the realtime database create a new user:

firebase.auth().createUserWithEmailAndPassword(useremail, userpassword).catch(function(error) {
        // Handle Errors here.
        var errorCode = error.code;
        var errorMessage = error.message;
        // ...
    }); 

When an error occured while inserting the data in the realtime database, it will skip the createuser function. This works fine for me, hope this helps!