问题
I am trying the JS SDK of Firebase, naturally, I picked up the provided example and started to dive in.
The example code is for e-mail sign in, hosting on Firebase.
What surprise me is that all password-compliance is made client-side:
...
function toggleSignIn() {
if (firebase.auth().currentUser) {
// [START signout]
firebase.auth().signOut();
// [END signout]
} else {
var email = document.getElementById('email').value;
var password = document.getElementById('password').value;
if (email.length < 4) {
alert('Please enter an email address.');
return;
}
if (password.length < 4) {
alert('Please enter a password.');
return;
}
...
What mecanism prevent someone from opening the code in the console, removing the check, and registering under a empty string as e-mail/password?
Searching for firebase security only tell me that everything is made in HTTPS, and that server-side rules are customizable to prevent anyone not signed in from editing the DB, but what about this?
回答1:
The sample code you link to is from the documentation of the Firebase email+password authentication provider. I recommend reading the documentation page too, instead of just the sample code in isolation.
When I try to create a user with a short password (123), the Firebase Authentication server responds with:
{code: "auth/weak-password", message: "The password must be 6 characters long or more."}
As you can see, the server validates the strength of the password too.
It is quite common to perform validations both client and server side.
- Validations must be performed on the server to ensure that they can't be hacked around, as you said.
- By also validating the values client-side, you can ensure a better user experience. In this example: you can prevent the need for a round-trip to the server in case the user enters an invalid email address.
来源:https://stackoverflow.com/questions/37991935/is-firebase-e-mail-auth-example-secure