3

Im building a website in firebase. It's a simple look-up service which only has an input element that fires a request to a 3rd party api.

www.3rdparty.com/api/[myapikey]/method

The problem is that I'm limited to x requests per second and I can't expose my api-key to the users.

My mission eventually is to store the responses in firebase so that I can limit the number of requests that reach the 3rd party (a cache function)

Salmin Skenderovic
  • 1,750
  • 9
  • 22

1 Answers1

6

Putting such an API key into the client-side code of your application introduces the risk of malicious users taking your key and using it to their own purposes. There is nothing you can do about that, except for simply not including the API key into the client-side code. This applies equally to Android and iOS code btw.

Since you can't put the API key in client-side code, you'll have to run it on a server. This is a quite common scenario for using server-side code within a Firebase architecture: the code needs access to some information that common clients cannot be trusted with. It is covered by pattern 2 in our blog post on common Firebase application architectures.

From that blog post:

enter image description here

An example of such an architecture in action would be clients placing tasks for the server to process in a queue. You can have one or more servers picking off items from the queue whenever they have resources available, and then place the result back into your Firebase database so the clients can read them.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • I understand the architecture, but why does Firebase suggest putting the API creds on the client? https://firebase.google.com/docs/web/setup <- isn't this everything someone _else_ would need to act on your accounts/db? – Adam Jul 23 '16 at 05:09
  • 1
    If you're referring to the API key, see http://stackoverflow.com/questions/37482366/what-is-the-firebase-apikey-for. – Frank van Puffelen Jul 23 '16 at 15:08