skip to Main Content

I have a react site that uses firebase to authenticate users. I’m writing e2e tests using playwright (same results with selenium) and really struggling to get login to work, to the point that I gave up doing it using any of the suggestions I’ve seen online

My question is, is there a security issue to have the following code in my login page?

  const [searchParams] = useSearchParams();
  if(searchParams.get('user') && searchParams.get('pass')) {
      handleLogin(searchParams.get('user') as string, searchParams.get('pass') as string);
  }

This will allow playwright to access all pages by first going to http://localhost:3000/?user=username&pass=password

Since all the login logic is happening in the ui I figure that this shouldn’t be an issue. Am I wrong?

2

Answers


  1. As long as you are still using firebase authentication and not storing passwords in a firestore. It will be secure. If you are using firestore, you can secure it further by adding read/write rules that only allow users to access their own data.

    Login or Signup to reply.
  2. I would argue that setting your code up so that the password is put into the URL is a really bad practice. If this is a E2E test, then have it browse to the login page, enter the password there. Otherwise you end up with the password being stored in the "browser history" which is not good, and you might find users who take advantage of this feature to "bookmark" their logins.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search