firebase-ios-sdk icon indicating copy to clipboard operation
firebase-ios-sdk copied to clipboard

Published 20 hours ago verified publisher icon firebase

[FR]: Ability to proxy identitytoolkit and securetoken hosts

Open jostster opened this issue 2 years ago • 2 comments

Description

  1. Since the auth tokens are public, this allows attackers to brute force with credential stuffing attacks, by hitting the firebase auth api directly. Firebase should allow overrides for organizations to allow proxying the auth endpoints so that they can be placed behind firewalls and have more control to combat attacks.
  2. Currently organizations are at the mercy of attackers since Firebase host scripts only trigger on a successful login attempt.
  3. Allowing organizations to override the auth endpoint so that it is proxied through a service behind a firewall, this gives organizations to block the public api key from hitting firebase auth / identitytoolkit endpoints directly. When proxied, the real auth key can be appended to the end of the requests and placed behind a firewall for additional security checks to prevent credential stuffing.

API Proposal

No API changes are required

Firebase Product(s)

Authentication

jostster avatar Sep 27 '23 18:09 jostster

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Sep 27 '23 18:09 google-oss-bot

I believe this is a duplicate of #4987.

triplef avatar Oct 02 '24 10:10 triplef