0

I am working on an Angular 5 web application which is about taking online exams and instantly telling the result. After attempting the test, the client side will request to the server for the list of correct answers and then it will compare user's answers with the right answers received from firebase server, this is why I am bound (I guess so) to store API at client side.

My question is, after deploying the app (uglifying, tree-shaking) will it be possible for anyone (even authenticated users) to access APIs which are hard-coded in my web app? If yes, then how easy it will be for them?

In the end, if it is not a good practice to store an API key in the app. What can I do to secure firebase APIs used in my app.

I don't have any hosting server, my app will completely rely on firebase.

Note: I found some information online, regarding this topic. Most of it was very confusing for me or was about AngularJS/Angular 4.x apps (with personal back-end)/Android Applications.

Update: When the user opts to attempt test, the questions and options stored on the server are fetched using http request:

//Component Code
testData: any;
fetchTest() {
    this.obtainTest.getTest()
      .subscribe(
      (response: Response) => {
        this.testData = response.json();
        console.log(this.testData);
      },
      (error) => console.log(error)
      )
  }
//Code from http Service
getTest(){
        console.log('Obtain Test Service is working...');
        return this.http.get('https://myfyp-40291.firebaseio.com/tests/-L0f5r_-tHLMk45AU5zg.json')
    }

In testData questions and their possible answers are stored from firebase server and then showed to the user. Then the user selects possible right answers, when he is done. The right answers which are separately stored in another json object at firebase server, are requested using http request and the user's answers are compared with those right answers to show him his score.

getKeys(){
        return this.http.get('https://myfyp-40291.firebaseio.com/keys/-L0k_SQivBudFGcNjD-k.json');    
    }

Now this is the API I want to secure. I have read about firebase rules. For this key write will be surely restricted for the user but if I block read as well then how will he be able to get the right answers in the end? If I let him read then there is a threat he can access api key from the code, download the json object manually and know about all the right answers and attempt test accordingly.

In this situation please advice me what should I do to solve this issue?

//English is not my first language so sorry for mistakes and confusion.

Robert Williams
  • 1,370
  • 1
  • 17
  • 38
  • I am unable to understand why my question is marked as duplicate. Read the note at the end of my question. I have clearly mentioned that the information I found on web is about different/old technologies. The question Mr. @deceze is referring towards as duplicate is completely different since the person in that question is using php as well as his own back-end and his app has nothing to do with firebase and Angular 5. I have asked this question because I thought in firebase/Angular5's case they might have solved this issue. – Robert Williams Dec 19 '17 at 10:58
  • The fundamental answer regarding exposed APIs, regardless of what technology those APIs use, is the same: https://stackoverflow.com/a/27855686/476 – deceze Dec 19 '17 at 11:16
  • If you use Firebase in your web app, the browser will need to contain configuration data in order to be able to find the Firebase project on Google's servers. This is inherent to using Firebase (or any other web API), and in itself not a security risk. To subsequently ensure only authorized users an access your data, you'll want to use Firebase Authentication to identify your users and then Firebase's security rules to ensure authorized access. Also see my answer here: https://stackoverflow.com/a/37484053, and https://stackoverflow.com/q/39673620 – Frank van Puffelen Dec 19 '17 at 14:40
  • @FrankvanPuffelen My problem is something I want to hide one API key even from my users. As I told in the question right answers are stored at firebase server. If the registered user can access the full list of right answers than it will be failure of the system. – Robert Williams Dec 19 '17 at 20:08
  • Does firebase provide any option to solve this issue to reduce the chances? – Robert Williams Dec 19 '17 at 20:09
  • There is a difference between: 1) being able to read each answer, 2) being able to get a list of answers, or 3) being able to get a list of answers including information on which answer is correct. It sounds like you want #1 or #2, but not #3. – Frank van Puffelen Dec 19 '17 at 21:19
  • It sounds like you're having a hard time either modeling the correct data structure, writing the correct security rules, or writing the correct code for this use-case. Showing the [minimal JSON, rules, or code of where you are stuck](http://stackoverflow.com/help/mcve) drastically improves your changes of getting help. Since we're all devs here, such "code" is the language that we're least likely to misunderstand. – Frank van Puffelen Dec 19 '17 at 21:22
  • You are right, angular and firebase is new for me so I am a bit confused. I have updated my question and added code from different components as concisely as possible. – Robert Williams Dec 20 '17 at 11:56

1 Answers1

0

Yes, looking at the Network tab in their web browser's debugger will expose the response from the server including all correct answers.

You should send the user responses to the server and it will calculate the score and return it without returning all the answers.

r3m0t
  • 1,850
  • 16
  • 21
  • I would love to do that but I don't think it is possible using Google firebase. If you know how to do this then please elaborate in detail :) – Robert Williams Dec 19 '17 at 10:37