I was debugging in console and watching the Network panel and noticed this information being sent to during a facebook authentication login. The information is being sent to a firebase backend. Should this be encrypted? the token and auth key were all in plain text. Wouldn’t that present a security flaw or is it something we can’t hide from a user on their own device?
kind: “identitytoolkit#VerifyAssertionResponse”, federatedId: “http://facebook.com/101549602394023”,…}
displayName
:
“Clar”
email
:
"duaneqhes@gmail.com"
emailVerified
:
false
expiresIn
:
“3600”
federatedId
:
“http://facebook.com/10150602394023”
firstName
:
“Clark”
fullName
:
“Clar”
idToken
:
“eyJhbGciOiJSUzI1NiIsImtpZCI6ImMwNmEasdfADFADSFASDFADSAFDGSDFGSDFGSDFGWRlMDQ3Y2RhNmYifQ.UudP6cNAhM-B-91Fh9yiCI8U0”
kind
:
“identitytoolkit#VerifyAssertionResponse”
lastName
:
“”
localId
:
“PLAINTEXT”
oauthAccessToken
:
“ALL OF THIS WAS IN PLAIN TEXT ALSO”
photoUrl
:
“https://lookaside.facebook.com/platform/profilepic/?asid=10154910602394023&height=100&width=100&ext=1524563012&hash=AeRDIQV79AJHqId_”
providerId
:
“facebook.com”
rawUserInfo
:
"{“EVERYTHING IN PLAIN TEXT”
refreshToken
:
“APyOXy24E71H_2LPnhwlBiN3sP1JYotc4mc-ecVbtls9xX0SWd89PCX3BzhvN87_24EqZWTL2zxxeT5jFgjS6sWK7gpvQ”
timeZone
:
“-4”