Closed ujjwal404 closed 4 years ago
Abhishek-kumar09
commented
4 years ago Firebase tokens are time-bound and expires when user logs out, and every time the user logs in it generates a new token. So, Is there any loophole that this token is opening when exposed to the user?
ujjwal404
commented
4 years ago No there is no such loophole but there is a really little chance if someone manages to do a successful XSS attack on client's browser then they might be able to use that loken to get the data.
Abhishek-kumar09
commented
4 years ago I cant test whether it is not showing the token again with this code, because the netlify domain is not registered with oauth. Did you have confirmed at your end that this token is now not visible.
ujjwal404
commented
4 years ago Sorry I've not confirmed this but authServices.js is the only file that uses token from auth.js. In auth.js file accessToken has been passed to setSession function which prints it to console. No other external function uses access token from auth.js, I've checked each external file that auth.js imports and uses its functions or states.
Abhishek-kumar09
commented
4 years ago Ok, thats cool. But I want to ask that if you can see the token again in your console after this change.
ujjwal404
commented
4 years ago No, its not there and everything is working fine.
Removed line to console log firebase auth token.