wwwillchen
commented
3 days ago I would not consider state data to be safe from client-side tampering (in your example, Alice can tamper with her own state, but not other people's state).
For firebase auth, I would verify the token on the server-side using Firebase Server's SDK: see https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_the_firebase_admin_sdk
Theoretically, a user could change the token on the client-side, but it would be difficult for them to alter it into a valid firebase token, unless the user somehow get a hold of another user's firebase token (which would require some kind of security exploit).
Hello,
I may have missed it in the docs, but is data in the state considered safe from tampering on the client side?
If I needed to guess, I would say it is probably not safe.
I am asking because Firebase Auth example stores email in state, and uses this part of the state to enable users to do restricted stuff.
What is stopping Alice form tampering state data on the client and gaining access? (Maybe the state is signed?)
If state is not safe, what would be a bit more realistic approach to security?
Store token obtained from the firebase in the state, and then in each event handler that can result in restricted action validate the token?