search

firebase / firebase-ios-sdk

Firebase SDK for Apple App Development
https://firebase.google.com
Apache License 2.0
5.62k stars 1.47k forks source link

[FR]: Ability to proxy identitytoolkit and securetoken hosts #11858

Open jostster opened 1 year ago

jostster commented 1 year ago

Description

  1. Since the auth tokens are public, this allows attackers to brute force with credential stuffing attacks, by hitting the firebase auth api directly. Firebase should allow overrides for organizations to allow proxying the auth endpoints so that they can be placed behind firewalls and have more control to combat attacks.
  2. Currently organizations are at the mercy of attackers since Firebase host scripts only trigger on a successful login attempt.
  3. Allowing organizations to override the auth endpoint so that it is proxied through a service behind a firewall, this gives organizations to block the public api key from hitting firebase auth / identitytoolkit endpoints directly. When proxied, the real auth key can be appended to the end of the requests and placed behind a firewall for additional security checks to prevent credential stuffing.

API Proposal

No API changes are required

Firebase Product(s)

Authentication

google-oss-bot commented 1 year ago

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

triplef commented 3 weeks ago

I believe this is a duplicate of #4987.