Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best way to secure Firebase API keys in a react app so it is not accessible publicly? [duplicate]

I currently have a React app using Firebase authentication & uses Firestore as the database.

I currently have the app deployed using Amazon's Amplify service. My Firebase API keys, including the database URL and firebase app Id are all added as environment variables in the AWS console.

When I inspect the public bundle, I can see that all the API keys are public.

My questions are:

  • Does this sound right?
  • Is there a best practice for how to handle this situation?
  • Do I need to build a back-end to handle this?
like image 892
nkhil Avatar asked May 04 '20 19:05

nkhil


People also ask

How do I secure my Firebase key?

Be sure your Firebase project is still selected. Click Create credentials > API key. Take note of the new API key, then click Restrict key. In the API restrictions section, select Restrict key, then add to the list only the Super Service API .

How does Firebase authentication integrate with React?

Integrating Firebase into our React appEnter firebase-user-auth as the name of the web app. After that, click on the Register app button, which takes us to the next step where our firebaseConfig object is provided. Copy the config to the clipboard as we will need it later on to initialize Firebase.


1 Answers

Your API keys, database URL, app id etc are meant to be public.

According to the firebase docs:

The content is considered public, including your platform-specific ID (entered in the Firebase console setup workflow) and values that are specific to your Firebase project, like your API Key, Realtime Database URL, and Storage bucket name. Given this, use security rules to protect your data and files in Realtime Database, Cloud Firestore, and Cloud Storage.

The way you're meant to make your connection to firebase secure is to use security rules. You can add custom rules to make sure your DB is secure.

For example: You can make sure only userId 12345 has rights to create, read, update and delete records for userId12345.

like image 53
nkhil Avatar answered Nov 15 '22 06:11

nkhil