Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Firebase browser key API restrictions

Tags:

firebase

google-cloud-firestore

firebase-authentication

When creating a new project Firebase generates browser API keys automatically in the GCP API credentials. This is the same API key that is set in the Firebase Web client SDKs and is publicly available.

By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project. Surprisingly I have not found information about securing this key in the Firebase documentation.

So I took two extra steps to secure the key:

  1. Added HTTP referrer restriction to allow requests from my domain only.
  2. Added Identity Toolkit API to the list of allowed APIs. Experimentally I've figured out that it's enough for Firebase Auth and Firestore to work.
  3. Added Token Service API. This is needed for refresh tokens to work and keep the authentication.

My question is mostly related to points #2-3. What are the APIs that needs to be enabled for various components of Firebase to work on the web?

like image 393
dbanisimov Avatar asked Feb 04 '19 22:02

dbanisimov

People also ask

Is it safe to put Firebase API key to the public?

In a word, yes. As stated by one of the Firebase team engineers, your Firebase API key only identifies your project with Google's servers. It is not a security risk to expose it.

What can I do with Firebase API key?

Using an API key Specifically, they're used to associate API requests with your project for quota and billing. They're also useful for accessing public data. When your app makes a call to a Firebase API, your app will automatically look in the Firebase config file/object for your project's API key.

How do I fix Invalid API key Firebase?

Make sure you've got the API keys set correctly in your Google Developer Console for your Firebase project. Show activity on this post. There are two different configurations for release mode and test mode. make sure that you use the API key which is related to each.

2 Answers

I also enabled those same two APIs, but I used the Metrics Explorer to see what the various Firebase-created keys had been using based on actual traffic.

In GCP,

  • Go to Monitoring -> Metrics Explorer
  • Click 6W in the time range above the graph
  • Resource Type, start typing consumed_api and select it
  • Metric, choose Request Count
  • Group By, type credential_id, select it, then type service, and select it
  • Aggregator, select sum

By now, the legend for the graph should list all the credential ids and which services they used in the last 6 weeks. You should be able to figure out the APIs from the service.

You can use Filter to filter by credential_id if the results are too noisy.

like image 103
CharlieNoTomatoes Avatar answered Oct 21 '22 00:10

CharlieNoTomatoes

By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project.

This is indeed possible and I am able to make e. g. Google Maps API call with the auto generated Firebase API key.

Such preconfigured behaviour was certainly unexpected and I am now experimenting with the restrictions as per the extra steps described in the original question.

like image 24
dmudro Avatar answered Oct 20 '22 23:10

dmudro
Sign in to Comment

Related questions

"The operator '[]' isn't defined" error when using .data[] in flutter firestore
Default FirebaseApp is not initialized in this process. Make sure to call FirebaseApp.initializeApp(Context) first
Firebase custom event parameters not visible in console
Unregistered token error after sending one notification
Not receiving Firebase Cloud Messaging delivery receipts
Bundle firebase-messaging-sw.js deps with Webpack
Firebase Functions with Yarn workspaces
Is there a way to generate a push ID from the Console in the new Realtime Database?
Can I customize the firebase OTP digits (default 6 to 4)?
Firebase Database Migration
Changing firebase data model (while multiple app versions are in production)
Task com.google.firebase.a.v rejected from java.util.concurrent.ThreadPoolExecutor
Xcode 10 Warning: Skipping code signing because the target does not have an Info.plist file
onAuthStateChanged inconsistent
Port and Proxy Config on ng-build
Does firebase set apns-push-type header automatically?
Angular Firebase app crashes after 20 hours with +1 gigabyte of memory allocation
Firebase crash due to null pointer exception

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!