This is my problem with the whole architecture of FE -> DB. Without a middle server layer, things like token storage, authentication, and other things become really easy to screw up.
Firebase has an auth API that is free built in, it's weird that they didn't just use it. Idk if whoever built this would have built a more secure solution with a server layer or just have a public mongo instance instead
Mhhm. It's also a reason why we're making sure our developers have an easy time integrating into the platforms authn and authz systems. For example, if you need an admin interface, it should be just a library include and some bespoke framework configs to be integrated with the central authz framework over trying to think of something on their own.
It's... way too successful internally, lol, because we have a lot of permissions and privileges to manage now. And now we have to figure out good ways to assign these permissions to people more efficiently.
But that's a better problem than a GDPR relevant data breach, to be honest.
