When creating a new project Firebase generates browser API keys automatically in the GCP API credentials. This is the same API key that is set in the Firebase Web client SDKs and is publicly available. By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project. Surprisingly I have not found information about securing this key in the Firebase documentation. So I took two extra steps to secure the key: <ol> <li>Added HTTP referrer restriction to allow requests from my domain only.</li> <li>Added Identity Toolkit API to the list of allowed APIs. Experimentally I've figured out that it's enough for Firebase Auth and Firestore to work.</li> <li>Added Token Service API. This is needed for refresh tokens to work and keep the authentication.</li> </ol> My question is mostly related to points #2-3. What are the APIs that needs to be enabled for various components of Firebase to work on the web?

I also enabled those same two APIs, but I used the Metrics Explorer to see what the various Firebase-created keys had been using based on actual traffic. In GCP, <ul> <li>Go to Monitoring -> Metrics Explorer</li> <li>Click 6W in the time range above the graph</li> <li>Resource Type, start typing <code>consumed_api</code> and select it</li> <li>Metric, choose Request Count</li> <li>Group By, type <code>credential_id</code>, select it, then type <code>service</code>, and select it</li> <li>Aggregator, select <code>sum</code> </li> </ul> By now, the legend for the graph should list all the credential ids and which services they used in the last 6 weeks. You should be able to figure out the APIs from the service. You can use Filter to filter by <code>credential_id</code> if the results are too noisy.

Firebase browser key API restrictions

Tags:

firebase

google-cloud-firestore

firebase-authentication

When creating a new project Firebase generates browser API keys automatically in the GCP API credentials. This is the same API key that is set in the Firebase Web client SDKs and is publicly available.

By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project. Surprisingly I have not found information about securing this key in the Firebase documentation.

So I took two extra steps to secure the key:

Added HTTP referrer restriction to allow requests from my domain only.
Added Identity Toolkit API to the list of allowed APIs. Experimentally I've figured out that it's enough for Firebase Auth and Firestore to work.
Added Token Service API. This is needed for refresh tokens to work and keep the authentication.

My question is mostly related to points #2-3. What are the APIs that needs to be enabled for various components of Firebase to work on the web?

393

asked Feb 04 '19 22:02

dbanisimov

2 Answers

I also enabled those same two APIs, but I used the Metrics Explorer to see what the various Firebase-created keys had been using based on actual traffic.

In GCP,

Go to Monitoring -> Metrics Explorer
Click 6W in the time range above the graph
Resource Type, start typing consumed_api and select it
Metric, choose Request Count
Group By, type credential_id, select it, then type service, and select it
Aggregator, select sum

By now, the legend for the graph should list all the credential ids and which services they used in the last 6 weeks. You should be able to figure out the APIs from the service.

You can use Filter to filter by credential_id if the results are too noisy.

103

answered Oct 21 '22 00:10

CharlieNoTomatoes

By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project.

This is indeed possible and I am able to make e. g. Google Maps API call with the auto generated Firebase API key.

Such preconfigured behaviour was certainly unexpected and I am now experimenting with the restrictions as per the extra steps described in the original question.

answered Oct 20 '22 23:10

dmudro

Related questions
                            
                                "The operator '[]' isn't defined" error when using .data[] in flutter firestore
                            
                                Default FirebaseApp is not initialized in this process. Make sure to call FirebaseApp.initializeApp(Context) first
                            
                                Firebase custom event parameters not visible in console
                            
                                Unregistered token error after sending one notification
                            
                                Not receiving Firebase Cloud Messaging delivery receipts
                            
                                Bundle firebase-messaging-sw.js deps with Webpack
                            
                                Firebase Functions with Yarn workspaces
                            
                                Is there a way to generate a push ID from the Console in the new Realtime Database?
                            
                                Can I customize the firebase OTP digits (default 6 to 4)?
                            
                                Firebase Database Migration
                            
                                Changing firebase data model (while multiple app versions are in production)
                            
                                Task com.google.firebase.a.v rejected from java.util.concurrent.ThreadPoolExecutor
                            
                                Xcode 10 Warning: Skipping code signing because the target does not have an Info.plist file
                            
                                onAuthStateChanged inconsistent
                            
                                Port and Proxy Config on ng-build
                            
                                Does firebase set apns-push-type header automatically?
                            
                                Angular Firebase app crashes after 20 hours with +1 gigabyte of memory allocation
                            
                                Firebase crash due to null pointer exception

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With