I have a react site that uses firebase to authenticate users. I’m writing e2e tests using playwright (same results with selenium) and really struggling to get login to work, to the point that I gave up doing it using any of the suggestions I’ve seen online
My question is, is there a security issue to have the following code in my login page?
const [searchParams] = useSearchParams();
if(searchParams.get('user') && searchParams.get('pass')) {
handleLogin(searchParams.get('user') as string, searchParams.get('pass') as string);
}
This will allow playwright to access all pages by first going to http://localhost:3000/?user=username&pass=password
Since all the login logic is happening in the ui I figure that this shouldn’t be an issue. Am I wrong?
2
Answers
As long as you are still using firebase authentication and not storing passwords in a firestore. It will be secure. If you are using firestore, you can secure it further by adding read/write rules that only allow users to access their own data.
I would argue that setting your code up so that the password is put into the URL is a really bad practice. If this is a E2E test, then have it browse to the login page, enter the password there. Otherwise you end up with the password being stored in the "browser history" which is not good, and you might find users who take advantage of this feature to "bookmark" their logins.