Firebase docs suggest firebase auto-created keys should not be restricted and unlike other sercet keys can happily appear in website's source:
Unlike how API keys are typically used, API keys for Firebase services are not used to control access to backend resources; that can only be done with Firebase Security Rules. Usually, you need to fastidiously guard API keys (for example, by using a vault service or setting the keys as environment variables); however, API keys for Firebase services are ok to include in code or checked-in config files.
The API keys auto-created by Firebase, by default, have no restrictions.
Secure your database and Cloud Storage data by using Firebase Security Rules, not by restricting and/or obscuring your API keys.
However, it seems that when we include our firebase key in our source code, it can be used by a malicious attacker to call paid Google services, such as Custom Search APIs which costs $5/5000 queries, thus draining the Google console balance of a poor unsuspecting victim.
Also, it seems adding restrictions to Firebase keys is not working - either preventing the key from working or triggering a creation of a new auto-generated key instead (see here, here, here)
So should we somehow restrict the api-key,
hide the key from the website's source
or something else?
I wasn't able to find anything about he malicious attacks using an API Key auto generated and can be restricted without any problem. Most of the posts you commented on have responses on how to solve their problems with the restriction options. Also, google documentation does recommend some API Key restriction.
Also, you have the App check to limit access to the backend services in your Firebase project.
Here there is also an article about security of the API keys in firebase.
So, after testing around and looking through some pages I think it's pretty safe to let some of them unrestricted and another ones restricted depending on what they are accessing to and you shouldn't have any problem.
Related
I was wondering how to to secure firebase auth. I plan on using firebase JUST for user authentication (not using firestore or realtime db). Since the API key is exposed on the client, my fear is that a malicious user can find the key and start using it inappropriately. So far I've done the following to try to improve security:
Limit key use to a specific domain
Restrict the key to only be able to use "Identity Toolkit API"
Is there anything else I should do here?
My application should be the only one able to use my credentials to access the Firebase API.
For any app where you access a cloud based API directly from within the client-side application code, that is going to be a myth. The closest you can get within Firebase these days is with App Check, but that isn't available for Authentication calls at the moment.
Part of the reason for this is that the authentication API is quite well protected on its own already, and most abuse will actually not affect you as a developer very much. E.g. (ignoring phone auth) there is no charge for account creation, sign in, and any other operations.
I highly recommend checking:
Is it safe to expose Firebase apiKey to the public?
The documentation on API keys in Firebase.
The documentation on Firebase's security rules, which is how you can protect the Firestore and Realtime databases, and files in Cloud Storage.
The documentation on Firebase App Check, which reduces abuse for Realtime Database, Cloud Storage, Cloud Functions, and Firestore at the moment.
More of these previous questions on allowing only you app to access Firebase
I need to write safe security rules for a flutter project that doesn't require user authentication (for a reason) for creating new documents.
For all other actions you need to be authenticated.
People are only allowed to create a document if they use the app too.
Is it sufficient if I just limit the amount of created documents in a specific time (with timestamps) and also limit the size, or do I still need to consider something else?
I'm new to firebase but I kind of know that there are ways to do firebase-actions without the app (that will be creatable from the project) via commands if you just get the project-id.
For example that would be a case which I haven't considered yet.
Regarding the last point:
There are three Api keys in the google cloud platform firebase project:
An Android key, an IOS key and a browser key. (auto created by Firebase)
I thought, maybe if I'd apply a restriction to the Android key, so that only Android apps can use it and likewise for the IOS key, the problem could be solved, but I'm not sure.
(I then would restrict the keys via the Google Cloud Platform Project of the Firebase Project.)
People are only allowed to create a document if they use the app too.
This requirement is not enforceable on Firebase. Anyone can take the configuration data from your app, and use that to call the same APIs in the same way. As long as the calls meet your security rules, they will be allowed. And since there's no security rule clause that says "only from my app", you can't limit access to only people using your app.
Is it sufficient if I just limit the amount of created documents in a specific time (with timestamps) and also limit the size, or do I still need to consider something else?
How do you want to limit the document creation in time? If you want to do this per user, you'll need to know the user.
I recommend looking into Firebase's anonymous authentication, which gives user's of your app an ID without requiring them to enter credentials.
I have to build an API using Firebase, and need some help with design choices. I want to be able to sell the API to users, who can then use it to build/integrate their own applications. Users will have both read and write privileges.
General information:
I'm using Firestore db with email & password authentication.
Only specifically assigned users may use the API
Each user may only access specific documents concerning them.
I've noticed 3 different ways in which an API can be provided to a user of my Firestore db:
https triggered cloud functions (https://firebase.google.com/docs/functions/http-events)
Using the SDK (https://firebase.google.com/docs/firestore/client/libraries)
Using the REST API provided by Firbase (https://firebase.google.com/docs/firestore/use-rest-api)
API requirements:
Used only by users that I specifically grant access to (email & password login)
I want to limit these users to only a couple of read/write tasks that they're able to perform.
It needs to be safe.
My current approach is:
Use the 3rd option - the REST API provided by Firebase (thereby giving users the projectId and API key)
Add authorised users to the list of authorised accounts on Firbase, and limit access using custom claims and database rules.
My questions:
It seems that https functions (option 1) are normally used in API building. Are options 2 and 3 unsafe?
What are the normal use cases of the 3 options? When should each be used and when should each be avoided?
Are there any obvious flaws in my choice of option 3?
Any other useful information about making these design decisions will be much appreciated.
Thank you in advance
TL;DL: It depends on what you want to do with this API and how many and what type of devices/users will be calling it.
Before answering your questions I will list below the advantages of each approach:
Cloud Functions:
Cloud Function is a Functions as a Service Solution, so it's also a hosting service for your API, therefore you won't have to provision, manage, or upgrade servers and the API will automatically scale based on the load. Also this option takes into account the pros of SDKs and client libraries, since your code will have to use it to connect to Firestore anyway.
SDKs and client libraries:
This is the easiest and more optimized way to reach Firestore, however, environments where running a native library is not possible such as IOT devices will be left out of your solution, so consider this while implementing this option.
Cloud Firestore REST API:
Every device properly authorized to access Firestore will be able to do so.
NOTE: For both SDK and REST API you will need to consider hosting of your API, either on Cloud Functions, as mentioned, App Engine Standard, App Engine Flex or a Compute Engine Server Instance.
All that being said, it's up to you and your API's usage and requirements to say which option is best considering the points above.
As per security, I'd say that all option can be secure if firebase rules and firebase auth are set correctly.
What I want is to perform rest requests to Firebase Realtime Database from my esp8266 with micropython firmware without complex authorization process.
I know that I can turn off authorization at all in the rules but I'd prefer to have at least some basic security.
Can't I just use my Web API Key for this purpose?
Here is a doc which tells that there are 2 ways of authentication: oauth2 and generating key manually. Second way seems almost what I need but it requires setting up Admin SDK and as far as I understood still requires regenerating the key from time to time.
So eventually I have no answer to a simple question: how to authenticate rest requests to the Firebase Realtime Database in the most simple way?
The same page you linked to contains a section on using legacy tokens (also known as "database secrets" in the past). While those are not recommended anymore, they continue to work and are as simply as adding the (non-dynamic) database secret to your URLs.
I suggest you read the links at the bottom of the documentation. But I do recommend that you switch to using the OAuth or ID Token flows as those are much more secure.
Can somebody else get the Firebase credentials from my APK and use them? Is this prevented by adding the SHA-1 keys for Android?
If it is prevented, what do I need security rules for since only code from my app with my SHA-1 can manipulate database at all?
If it is not prevented, can somebody else use my Firebase database as long as his requests fit the security rules? (Write 2nd client, which actually cannot do bad things but should not be allowed at all.)
Im not sure how I should think about security rules:
A) Protecting data against access and manipulation from bad guys + B?
B) Just a set of rules to keep data in a certain state and prevent my software from doing invalid database request?
A Firebase Database can be accessed via the REST API, or any of the client libraries. The decision about whether a client can or can't do something is entirely based on the rules.
You can even just access the Database URL in a web browser and see a JSON response by putting .json on the end, e.g. https://[YOUR_PROJECT_ID].firebaseio.com/.json
So the answer is definitely B! The default rules in a new Firebase project are that read and write to the database require auth, but you can configure them to provide whatever levels of protection you need.
Take a look at the Database Rules quickstart to see what you can do!
We don't ship the Realtime Database secret (or any other "secret" material) in the json file that gets baked into your app. That file simply contains resource identifiers that allow us to know which resources (database, storage bucket, analytics, etc.) to properly authenticate to (we use Firebase Authentication for these purposes), and we handle server side authorization to ensure that users are properly logged in.
If you are authorizing your requests properly (using Firebase Realtime Database Rules, for instance), your data is secure!
I'd recommend watching The Key to Firebase Security, one of our I/O talks, which talks in greater detail about how this works.
firebaser here
Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to your Realtime Database to only those coming from iOS, Android and Web apps that are registered in your Firebase project.
You'll typically want to combine this with the user authentication based security that Mike and Ian describe in their answers, so that you have another shield against abusive users that do use your app.