Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restricting Firebase API Keys

Tags:

I've been toying around with Firebase, and after reading the documentation (and other SO questions), I'm still confused on some of the API keys. I'm using Firebase for Analytics, Crashlytics, and Performance. But also have it linked to Google Play and AdMob.

When I set it up for the first time, 3 API keys were created in the developer console.

  1. Browser key (auto created by Google Service)
  2. Android key (auto created by Google Service)
  3. Server key (auto created by Google Service)

I tried reading through the documentation to find where it is described how these keys are used, but I wasn't able to find it. From looking around the Firebase application, it looks like the Android Key is used as the Web API Key, and the Server Key is used as the Cloud Message Legacy Server Key (Although, I don't use Cloud Messaging). I'm not sure how Firebase is using the Browser Key.

What I'm trying to do is restrict these keys as much as possible to prevent any malicious use of them.

I added the following API restrictions

  1. Android Key
    • Firebase Services API
  2. Server Key
    • Firebase Cloud Messaging API
  3. Browser Key
    • Firebase Services API

I'm not entirely sure if these restrictions are correct for what I am using them for, but it worked for the Android Key and the Server Key, at least as far as I can tell. However, the Browser Key restrictions appear to not work as Firebase is creating a new Browser Key when I redeploy my application.

To sum up my question, I can see that Firebase is auto creating API keys for me, but I cannot find any documentation that talks about how these keys are used for the basic features of Firebase that I'm using. I'm also not entirely sure how I can restrict these keys, especially the Browser Key.

like image 568
Spark323 Avatar asked Aug 11 '18 20:08

Spark323


People also ask

How do I protect Firebase API?

Be sure your Firebase project is still selected. Click Create credentials > API key. Take note of the new API key, then click Restrict key. In the API restrictions section, select Restrict key, then add to the list only the Super Service API .

Are Firebase API keys secret?

Don't think of the API Key as a secret; it's not a private key, it's just an ID so the Firebase API knows who's accessing what project. If you want a lot of flexibility and you need to control every step of the server/client interaction then you shouldn't be using Firebase, you should be using GCP.

Is it OK to expose Firebase config?

Grab your Firebase Web Config You only need to copy the config object from this page. It is perfectly OK to expose these credentials in your client-side code. Yes, somebody could use these credentials to write to your database, but Firebase apps are secured by writing [rules](/snippets/firestore-rules-recipes/).

Should API keys be protected?

API keys work a lot like passwords and should be stored and protected as such. Here are some basic steps you can take to limit the risk of your key being stolen: Don't write down your key in a public place, like on a sticky note or in a file on a public computer.


1 Answers

There are Application Restrictions where you can restrict by: HTTP referrers, IP addresses, Android apps, iOS apps. And these are the only ones that seem to work

I've found that is better to not restrict API calls on the auto generated Firebase API keys. I've tried API restrictions for the Firebase Web API Key but the changes break other components.

I tried restricting the API calls to only the ones that had something to do with Firebase or Authentication. After making these changes login with password using Firebase stopped working and it displays the following error message in the Javascript Console:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=THE 1NOW1RESTRICTED1API1KEY {   "error": {     "code": 400,     "message": "EMAIL_NOT_FOUND",     "errors": [       {         "message": "EMAIL_NOT_FOUND",         "domain": "global",         "reason": "invalid"       }     ]   } } 
like image 167
SAGB Avatar answered Oct 05 '22 09:10

SAGB