Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firestore: prevent abuse from public apiKey

As per this answer, it is not a security risk to publicly expose your firestore api key, however, as later answers to that question pointed out, people can make excessive requests with it and drain your quota. Does firestore have any features to prevent excessive requests? If not, why do the docs show examples such as this that tell you to put all your config, including apiKey, in client side JavaScript?

like image 549
georgiaboy82 Avatar asked Jun 24 '18 15:06

georgiaboy82


People also ask

Is it possible to use FireStore with the REST API?

While the easiest way to use Firestore is to use one of the native client libraries, there are some situations when it is useful to call the REST API directly. The REST API can be helpful for the following use cases:

Should API keys for Firebase services be treated as a secret?

You can, however, set your API keys using a different mechanism, including environment variables. Although it's not necessary to treat an API key for Firebase services as a secret, there are some specific cases (see below) in which you might want to take additional measures to protect your project from misuse of the API key.

What happens when a Cloud Firestore API request fails?

When a Cloud Firestore request succeeds, the Cloud Firestore API returns an HTTP 200 OK status code and the requested data. When a request fails, the Cloud Firestore API returns an HTTP 4xx or 5xx status code and a response with information about the error. The following table lists recommended actions for each error code.

How does FireStore determine if a request is authorized or not?

For requests authenticated with a Firebase ID token and for unauthenticated requests, Firestore uses your Firestore Security Rules to determine if a request is authorized. You can generate an access token by using a service account with a Google API Client Library or by following the steps in Using OAuth 2.0 for Server to Server Applications.


1 Answers

Firebase monitors for abuse. If you think your database is seeing undetected abuse, reach out to Firebase support for personalized help in troubleshooting.

like image 57
Frank van Puffelen Avatar answered Nov 15 '22 11:11

Frank van Puffelen