2

I am using firebase admin sdk on the server to generate sign in links and send them out via custom SMTP api.

I just glanced at https://firebase.google.com/docs/auth/limits and I am well within these, but I believe there is nothing stopping a malicious third party from creating/requesting sign-in links via front end code. Is there a possibility to disable this functionality so it is only available to admin acc?

Additionally, I'd like some emails (i.e. multi factor enrolment) to not be possible, but again, given that someone can obtain some of my firebase front end details, they technically can send these?

Ilja
  • 44,142
  • 92
  • 275
  • 498
  • Do you use Firebase Client SDK as well to make requests to Firebase from client side directly for authentication? You can restrict the API key to certain APIs but not a method like sign in or so. – Dharmaraj Jan 22 '23 at 12:46
  • Indeed I do, in essence I want to sign user in using client sdk's, but not allow clients to perform actions associated to sending emails. – Ilja Jan 22 '23 at 12:54
  • As mentioned earlier, you can disable client access to Identity Toolkit API but not individual method. That means you'll have to create an API key that only your server can access and proxy your requests through your server for any actions like requesting a new access token and so on. Will that work for you? – Dharmaraj Jan 22 '23 at 13:00
  • @Dharmaraj should do the trick, if you want to provide that as an answer, perhaps more details, I'll go ahead and accept it – Ilja Jan 22 '23 at 14:33

1 Answers1

4

You can restrict the API key from accessing an API (e.g. Identity Toolkit) but not disable a single method of the API for client.Sign up and delete user can be (that requires upgrading to Identity Platform) .

Firebase generates an API key when you add a web app. You can either update that or create a new key from API Credentials console.

enter image description here

You can then restrict what the API key in Firebase web config has access to:

enter image description here

However, Firebase Auth Client SDK will not work as Identity Toolkit is not selected. You'll have to proxy the requests through your backend and use a different key that can be used from your server's IP only.

enter image description here

Firebase Admin SDK will still be functional as usual so you can use that to perform other operations like updating/deleting users. You'll just have to write APIs on your backend for what could have been done using client SDK directly (or use Admin SDK when possible).

It might be a lot to update and I would not recommend unless you are facing rate limiting issues where Firebase Support should be able to help.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84