[BUG] - Security issue with using firebase functions #27

zvikarp · 2019-05-02T23:07:14Z

The security issue
When a user uses a firesbase function (e.g. changing his name) there is no check that it is him.
This can be a big problem because we use firebase functions for admin only functions (sending messages).

How to fix

generate a token for user and sending it to the function.
function checks the token and validates it.
function gets uid from the function and uses it. not a uid passed to it.
if needed, check in firestore if user has specific role.

This issue is in the following functions:

changeName
changeUserStatus
sendMessage (in the near future...)
changeUserRoles(in the near future...)

zvikarp added bug Something isn't working available task waiting for a contributor to start working on this task security issue labels May 2, 2019

zvikarp added this to the version 1.0.0 milestone May 2, 2019

zvikarp mentioned this issue May 2, 2019

[BUG] - all users have write permissions to firebase storage #28

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] - Security issue with using firebase functions #27

[BUG] - Security issue with using firebase functions #27

zvikarp commented May 2, 2019

[BUG] - Security issue with using firebase functions #27

[BUG] - Security issue with using firebase functions #27

Comments

zvikarp commented May 2, 2019