This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Closed 4 months ago.
This post was edited and submitted for review 4 months ago and failed to reopen the post:
Original close reason(s) were not resolved
I am using Firebase web + analytics and firebase makes an internal call that can be seen using DevTools in chrome.
The call is to this url https://firebase.googleapis.com/v1alpha/projects/-/apps/1:XXXXX:web:XXXXX/webConfig and the response retrieves all firebase properties:
{
"projectId": "XXXX",
"appId": "XXXXX",
"storageBucket": "XXXX.appspot.com",
"locationId": "us-central",
"authDomain": "XXXXX.firebaseapp.com",
"messagingSenderId": "XXXXXXXX",
"measurementId": "G-XXXXXXXX"
}
I think this is not secure because anybody could copy them and use it.
I don't know if this is because Analytics or something has change in firebase web version 9. Does this happened to some of you?
I read the firebase documentation and trying configure build options but nothing happened because it is a rest call performed by firebase sdk.
EDIT: I have another application using firebase 6 for web (without analytics) and this version does not have this issue.
This is the normal behavior of Firebase. Everything is shown to all. This does pose a security issue, but you can secure your app with Firebase Security Rules and with the new Firebase App Check.
Related
For a while ago I was using integration of Firebase in Google Apps Script as a server side and it was working finely and still working in my old projects.
But today after creating a new Firebase project and a new realtime database then trying to integrate Firebase Project into my Google Script project I got an error and it's not working completely. And I realize that Firebase deprecated database secret for new projects.
So, my question now is how to come over this problem? Is there another way to integrate Firebase into Google Script project?
You'll need to add the correct OAuth scopes to the manifest file of your Apps Script project, and then pass in an access_token parameter (or in the Authorization header) instead of the auth parameter you currently use.
Based on Doug's gist here, the basic steps are:
Open the manifest.json from the script editor, by clicking View > Show manifest file.
Add or edit the manifest to have these OAuth scopes:
"oauthScopes": [
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/firebase.database",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/spreadsheets"
]
That last scope grants it access to the spreadsheet itself. If you're using another GSuite type (document, slides, form, etc) you'll need the scope that corresponds that to type.
Now you can get the OAuth token from within your script and add it to your request:
var response = UrlFetchApp.fetch(databaseUrl, {
method: "PUT",
headers: {
"Content-type": "application/json",
"Authorization": "Bearer "+ScriptApp.getOAuthToken()
},
payload: JSON.stringify(json)
});
Logger.log(response.getContentText());
A major advantage of this is that your script will now run as an actual user, meaning that you can ensure it can only perform authorized actions through security rules.
This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Closed 1 year ago.
It is very likely the case I am misunderstanding how all of this works as I am still a newer programmer, but in every course I have taken I have been told not to expose any credentials within the code.
In this Firestore documentation, it tells you to store your service account's credentials as a JSON file and include the file in the directory for the SDK to access. Am I wrong in thinking this is a security issue?
Firestore Getting Started Documentation
Under Initializing Firestore
To use the Firebase Admin SDK on your own server (or any other Node.js environment), use a service account. Go to IAM & admin > Service accounts in the Cloud Platform Console. Generate a new private key and save the JSON file. Then use the file to initialize the SDK:
const serviceAccount = require('./path/to/serviceAccountKey.json');
admin.initializeApp({
credential: admin.credential.cert(serviceAccount)
});
const db = admin.firestore();
Am I missing something here? Why is it okay to do this?
In fact it depends how we interpret "not to expose any credentials within the code."
Firstly, a main important rule, is to never include secrets (password, or service account keys, or any other confidential data) into the source code, and especially in source code configuration (git / github).
Secondly, in some situation, the only solution to authenticate to a service or API is to use a service account key. In this case, we must keep this file separated from source code, and provide it to app by an environment variable pointing to it.
If your code is running on Google Cloud Platform (App Engine, Cloud Functions, Cloud Run, Firebase Functions...), you can use default authentication provided directly by GCP, and avoid any service account key.
Check Firebase documentation.
In this case, you keep it just for development purpose on your local machine.
This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Should I hide firebase api keys into backend? Not due to data security but project cloning issue
(2 answers)
Closed 2 years ago.
I have been messing around with Firebase in a web app and realized there's something I don't understand.
In order for the JS code to send data to the Firebase servers, your apiKey has to be in the JS. But then that means your API key is public, and anyone using your website can inspect the code and just send arbitrary commands to Firebase on your behalf from the dev tools, or from any other site now that they have the API key.
I know I must be missing something, since this would make Firebase not useful. What is it I'm missing? What prevents users from sending arbitrary commands to Firebase with your ApiKey?
For a while ago I was using integration of Firebase in Google Apps Script as a server side and it was working finely and still working in my old projects.
But today after creating a new Firebase project and a new realtime database then trying to integrate Firebase Project into my Google Script project I got an error and it's not working completely. And I realize that Firebase deprecated database secret for new projects.
So, my question now is how to come over this problem? Is there another way to integrate Firebase into Google Script project?
You'll need to add the correct OAuth scopes to the manifest file of your Apps Script project, and then pass in an access_token parameter (or in the Authorization header) instead of the auth parameter you currently use.
Based on Doug's gist here, the basic steps are:
Open the manifest.json from the script editor, by clicking View > Show manifest file.
Add or edit the manifest to have these OAuth scopes:
"oauthScopes": [
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/firebase.database",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/spreadsheets"
]
That last scope grants it access to the spreadsheet itself. If you're using another GSuite type (document, slides, form, etc) you'll need the scope that corresponds that to type.
Now you can get the OAuth token from within your script and add it to your request:
var response = UrlFetchApp.fetch(databaseUrl, {
method: "PUT",
headers: {
"Content-type": "application/json",
"Authorization": "Bearer "+ScriptApp.getOAuthToken()
},
payload: JSON.stringify(json)
});
Logger.log(response.getContentText());
A major advantage of this is that your script will now run as an actual user, meaning that you can ensure it can only perform authorized actions through security rules.
This question already has answers here:
Is it still possible to do server side verification of tokens in Firebase 3?
(2 answers)
Closed 6 years ago.
My Android app currently uses Google sign in and this works well. I add the tokenId to every server request and then verify it on the server. This was very easy to implement using this example (I'm using python).
I'm migrating this to go through Firebase so that I can easily add other authentication providers. My problem is that I can't seem to verify the token on the server. All I need is verification, no creation. Firebase seems to provide libraries only for Node.js and Java so I ccould use a standard JWT library like pyjwt. But where do I find Firebase's public key in order to verrify the token?
I found the answer in this post. The public keys for Firebase can be found here. The kid field in the header determines what key to use.