FYI I originally posted this on reddit, but figured the more eyes I get on this the more likely I am to get some input.
Hi guys, I wanted to hear how you guys went about implementing and securing anonymous authentication?
In my app, I want to allow users to be able to create data without having to sign up first, and if they never sign up they should be able to keep using my app (i.e. continue to create data). So what I’m doing is creating an anonymous account on page load, which will allow the user to create data. And then if they want to be able to switch devices and/or prevent losing access to their anonymously created data (by clearing site cache, for instance), they can then sign in with facebook or google and it’ll reassign the anonymously created data to your now fully authenticated account. I’ll probably still going to change this to only create the anonymous account when the user actually attempts data creation, instead of having it on-load, but that’s besides the point right now.
So naturally this had me thinking that my app is susceptible to bots constantly refreshing my page, and overloading the system with fake anonymous accounts, to which my go-to solution for this was to implement google recaptcha. This seemed to be the correct answer for a while now, but then it occurred to me that unless a server can validate the recaptcha token and create the anonymous account all in one api call, it’s pointless to have recaptcha at all.
Basically how I’ve designed it up to now was that on page load I’d generate a recaptcha token, verify it via a firebase function call, send the recaptcha score back to the frontend and then check if the score is >= 0.5 before proceeding with the anonymous auth, but presumably a hacker / bot / malicious actor, would be able to circumvent this
if(score >= 0.5) frontend check by manually setting his score to 0.6, or by manually calling the sign in anonymously function from a script, or however it is that hackers do their thing lol.
So now I’m pretty much at a loss for what to do about it. At first I was thinking that a firebase function will just have to handle anonymous auth from now on, that way I can pass it the recaptcha token in the request to auth and it can validate the token and reject the request if the score’s too low or the recaptcha token’s non-existent, but that seems like a super tedious work-around that could potentially affect my whole underlying architecture. And I’m not even sure if the functions/auth sdks would be able to do this to begin with.
Then I thought that firebase might have some sort of beforeAuthenticate function hook, which would, at least to some degree, make the server-side anonymous auth a little easier, but from my research it seems the only way to get a beforeAuthenticate hook is by integrating GCP’s Identity Framework and I don’t know the first thing about GCP or Identity, so it’s not ideal either.
All that being said, I figured I’d first try to get some wisdom from the community on this problem before proceeding in a direction. So, community, have you faced this problem before? How did you solve it? Is it even a problem, or am I overthinking it? What are your thoughts?