Firebase Authenticated HTTP Endpoints - Cloud Functions, are they Secure?

1
votes

So, I've seen this post: How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users?

Essentially the HTTPS endpoint validates that it's from an authorized use by ensuring Bearer token/Firebase ID is in the Authorization HTTP header.

I'm wondering, if someone found this Firebase ID, wouldn't this HTTP endpoint be compromised? Ie, they could pass a bearer token with Authorization: Bearer <Firebase ID Token>

I've seen other methodologies which would use the Firebase realtime database as an API itself which might be more secure.

Curious if I'm missing something here.

1
node.jsfirebasefirebase-realtime-databasegoogle-cloud-functions

1 Answers

2
votes

Obviously, you should take caution not to expose these tokens. But you should know that these tokens expire after 1 hour and need to be refreshed by an authenticated client. This happens automatically when using the Firebase SDKs. So, even if someone were to capture one of these tokens due to careless application design, it would have very limited usefulness in the real world.