I am using Firebase Auth for a web app that involves financial transactions. Thus, security is the most important thing for my app. According to this doc, Firebase can persist its token across multiple sessions by storing it somewhere. It does not mention how safe it is from XSS. Of course, I can just assume it's safe because it's Google, but I want to know more about it.
We've all read articles noting how localStorage is unsafe for storing auth, and cookie + csrf token + jwt + httpOnly is more secure way to handle auth for browsers.
How does Firebase store its token? Does it use localStorage or cookie, or combination of both?
Firestore save the token in an Indexed DB (https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API). The DB is named "firebaseLocalStorageDb", the object store is named "firebaseLocalStorage", and the key firebase:authUser:[id].
For further code review, check out https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/src/authuser.js .
来源:https://stackoverflow.com/questions/52597085/is-firebase-auths-local-persisted-auth-state-secure-and-safe-from-xss-and-csr