Firebase simple login does not return a user object

Question

I am trying to use the FIrebase's simple login with email/password provider. My setup is very simple, it's a copy of Firebase's docs:

<!doctype html>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <script type='text/javascript' src='https://cdn.firebase.com/v0/firebase.js'></script>
    <script type='text/javascript' src='https://cdn.firebase.com/v0/firebase-auth-client.js'></script>
    <script>
        var chatRef = new Firebase('https://testfbang.firebaseIO-demo.com');
        var authClient = new FirebaseAuthClient(chatRef, function(error, user) {
            if (error) {
                // an error occurred while attempting login
                console.log(error);
            } else if (user) {
                // user authenticated with Firebase
                console.log('User ID: ' + user.id + ', Provider: ' + user.provider);
            } else {
                // user is logged out
                console.log('Not logged in')
            }
        });
        authClient.createUser('myemail@gmail.com', 'mypass', function(error, user) {
            if (!error) {
                console.log('User Id: ' + user.id + ', Email: ' + user.email);
            }
        });
        function dologin(){
            authClient.login('password', {
                email: 'myemail@gmail.com',
                password: 'mypass'
            });
        };
    </script>
</head>
<body>
    <button onclick="dologin()">login</button>
</body>
</html>

The user is created correctly, I got at my console:

User Id: 2, Email: myemail@gmail.com 

But when I hit the login button, I am getting:

Not logged in

The response consists of a "token" string and a "user" json string with the correct id, email, provider etc.

The response seems correct, somehow the user object does not get populated.

I have tried with wrong email or password and I got the relevant error message.

Am I missing something?

Also I have noticed that the call to the auth service is something like this:

https://auth.firebase.com/auth/firebase?&firebase=testfbang&email=myemail%40gmail.com&password=mypass5&callback=FirebaseAuthClient._callbacks._firebaseXDR136717460560112

I am not a security expert but isn't cleartext passwords at the url a major security problem?

Thank you for any input.

Andreas

Answer 1

The code in the above snippet is correct, but the address / URL of the Firebase being used is incorrect. All 'production' user Firebases use the domain firebaseIO.com, but the above code uses a firebaseIO-demo.com domain, which is security-disabled and used only for test purposes. Firebases on that domain can be created by anyone and passed around as a convenience, but cannot be authenticated to or tied to a Firebase account.

Regarding passwords in plaintext, all Firebase Simple Login requests are forced to HTTPS, so this password is never actually sent in plaintext over the wire.