This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
What is the best way to secure Firebase API keys in a react app so it is not accessible publicly? [duplicate]
(1 answer)
Closed 12 days ago.
Until now, I have been creating beginner projects and now I want to level up so, I am using firebase for my database accesses and it uses javascript to perform all the operations and updates HTML according to that. But, JS is a client side solution which involves a lot of security concerns.
I have this code in firebase.js
const firebaseConfig = {
apiKey: "API_KEY",
authDomain: "AUTH_DOMAIN",
databaseURL: "DATABASE_URL",
projectId: "PROJECT_ID",
storageBucket: "STORAGE_BUCKET",
messagingSenderId: "MESSAGING_SENDER_ID",
appId: "APP_ID"
};
firebase.initializeApp(firebaseConfig);
And it is exposed to browser so I want to secure it.
This is my first step towards to web development security so I don't have much knowledge. On top of that whatever references I am creating has path of my database structure as well. for example,
const imagesRef = ref(storage, 'images');
How to secure all these vulnerabilities?
I tried to look for the problem on google and got summary.
Store the config in server
Access the config using API call back
Firstly, I don't know how to store and access. But, if I learn and I do store in server then what's the meaning of Google's serverless firebase?
So, I want to know that solution which is used to secure these type of information by google.
Related
I have just manually key in all the data in my firebase realtime database. But when i run my application (using react native expo), i get the following warning in my terminal:
[2023-02-06T09:53:41.782Z] #firebase/database: FIREBASE WARNING: Database lives in a different region. Please change your database URL to https://******-default-rtdb.asia-southeast1.firebasedatabase.app (https://*******-default-rtdb.firebaseio.com/)
What does this means? Does it means my firebase realtime database wont work at all?
Also I did a checked on my firebase realtime database URL, the url is the same as the one they ask me to change to before the URL in the bracket. What does this means? I am confused by this.
If I have to change the URL to the bracket one, how do i do it?
My current firebase config: I copied this from the firebase when I first started developing this app
Update following your comment and question update: It appears that your Firebase config object doesn't contain the URL of your Realtime Database instance.
You didn't share your Firebase config object but it seems that it contains the URL of Realtime Database instance based in the default region, i.e. the us-central1 region.
So you need to update your Firebase config object with the correct URL, corresponding to the asia-southeast1 region.
const firebaseConfig = {
apiKey: "API_KEY",
authDomain: "PROJECT_ID.firebaseapp.com",
// The value of `databaseURL` depends on the location of the database
databaseURL: "https://******-default-rtdb.asia-southeast1.firebasedatabase.app",
projectId: "PROJECT_ID",
// ...
};
The Hacker News API documentation says:
If you can use one of the many Firebase client libraries, you really should. The libraries handle networking efficiently and can raise events when things change. Be sure to check them out.
It doesn't specify how to do that though. How can I use the Firebase client libraries to interact with the Hacker News API, to gain more efficient networking and support for listening for events?
You can interact it with it using the Realtime Database API. Set the databaseURL to https://hacker-news.firebaseio.com, and you can make queries using the Firebase client libraries. The paths are the same as the paths in the API, without the .json file extension. For example, this would get data for the user jl using the web client:
var config = {
databaseURL: "https://hacker-news.firebaseio.com",
};
firebase.initializeApp(config);
var database = firebase.database();
console.log((await database.ref("v0/user/jl").get()).val());
I would like to get data from Firebase. I found some tutorials, but all is using Google Credential ServiceAccount to initialize firebase app. this's is tutorial that i found :
https://medium.com/techwasti/spring-boot-firebase-crud-b0afab27b26e , and else tutorial i found, almost like that too, is using ServiceAccount.
But the problem is i cannot get the ServiceAccount from this firebase because it's from third party. that's mean the owner of firebase don't want to give ServiceAccount.json to me, but they give me firebase config to me, like this :
const firebaseConfig = {
apiKey: "apkey",
authDomain: authdomain",
databaseURL: "databaseurl",
projectId: "projectid",
storageBucket: "storragebucket",
messagingSenderId: "messagesenderid",
appId: "appid",
measurementId: "measurementid"
};
So, how can i initialize this firebase using kotlin in my java springboot aplication?
i had try to find the solution, but not found anything,
I would be glad for any help.
If you want to initialize the Firebase Admin SDK, you will need a service account. There are no alternatives for this.
The config for the front end web app that you're showing here will not work at all. That config is only used for frontend apps that are acting as clients on behalf of the end user.
This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Closed 3 years ago.
As the title says, is it a security risk/concern that I hard code my firebase config data into my (react-native) app? If it's a concern, is there a different approach to this?
I'm talking about the data mentioned below.
const config = {
apiKey: "",
authDomain: "",
databaseURL: "",
projectId: "",
storageBucket: "",
messagingSenderId: "",
appId: ""
};
No. Several reasons:
1 No secret there
2 You could access the project using the Firebase REST API instead of the sdks
3 It is the equivalent of a public API
4 The real security is on the database or storage rules
Think it this way.
Plenty of services like Twitter, Spotify, Gmail, expose public APIs. But you cant tweet in behalf some one else, or you cant like a song, or you cant send an email.
So if some one get that file from the client, web or mobile, then they would only be allowed to do what rules allow to. If you create a chat app then your rules will prevent impersonation or miss use of files.
Taking my first steps with Firebase. Just a few pointers to documents explaining what is going on will help.
I have set up a new firebase web project and connected my dev environment with the firebase sdk. Now when I drop the email-password quickstart into the project it works. (after enabling email/password sign in.)
But wait: This quickstart html file does not contain any configuration that the firebase console tells me to paste:
var config = {
apiKey: "xxx",
authDomain: "xxx.xxx.com",
databaseURL: "https://xxx.xxx.com",
projectId: "xxxx",
storageBucket: "xxx.xxx.com",
messagingSenderId: "xxx"
};
Does the local firebase server add the configuration in the background? When and where do I have to add this configuration to web pages?
If you check line 35 of that quickstart, you'll find this magic include:
<script src="/__/firebase/init.js"></script>
This is an auto-generated file by Firebase Hosting, that contains precisely the code that initializes the connection to the Firebase backend services of your project.
If you'd like to learn more about it, read:
Easier configuration for Firebase on the web
SDK imports and automatic initialization
SDK auto-configuration