0

I'm quite new to Firebase in general and I have some questions which I'm not sure if they are an issue or not.

First I set up my API keys and such

<script>
  firebase.initializeApp({
      apiKey: '#####',
      authDomain: '#####',
      projectId: '####'
    });

    // Initialize Cloud Firestore through Firebase
    var db = firebase.firestore();
</script>

And than I went and used the example given by google

<script>
    var docRef = db.collection("MyTable").doc("person1");

    docRef.get().then(function(doc) {
        if (doc.exists) {
            console.log("Document data:", doc.data());
        } else {
            // doc.data() will be undefined in this case
            console.log("No such document!");
        }
    }).catch(function(error) {
        console.log("Error getting document:", error);
    });
</script>

And it worked i got the stuff that I needed. Buy my main question is isn't this unsafe?

I opened the Developer Console and i inspected the scripts to see what's going on and I saw that it shows everything , my database name , the collection I'm accessing and so on.

What makes a random person just copying my code and running it on their side? Is there a fix to this is it meant to work like this?

As I said I'm new to this so maybe I'm missing something here.

Frosty
  • 299
  • 5
  • 31
  • https://angularfirebase.com/lessons/the-ultimate-beginners-guide-to-firebase/ – James Poag Jul 15 '18 at 12:45
  • This is "just" configuration data that your app needs to be able to find its Firebase data on Google's servers. There is no way to talk to a back-end service without knowing its configuration data, at the very least the URL of the service. Since you can't prevent exposing this info, you'll secure access through other means. In the case of Firebase this is typically done by requiring the users to sign in, and then use sever-side security rules to authorize their data access. See https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Frank van Puffelen Jul 15 '18 at 14:05

1 Answers1

2

You are unable to whitelist domains for your database. Keep in mind as a public cloud hosted database, public really means public. That said there are a few things you can do;

  • Use firebase cloud functions for anything you want to keep out of the client.
  • Use /__/firebase/init.js in your web client which will configure and initialize your firebase instance without it being explicitly loaded onto the page - Keep in mind users can still get the info by following the JS link.
  • If your users are authenticated then can use database rules to make sure they only logged in users see data { "rules": { ".read": "auth !== null" } } , or that the logged in user can see their own data. Check here for more info https://firebase.google.com/docs/firestore/security/get-started#writing_rules
  • If you setup rules to require your users to be signed in, you can use google auth to whitelist your domain. This will ensure only your users can view your data and also that it is only via your client. For more info in writing queries with rules applied, see this page https://firebase.google.com/docs/firestore/security/rules-query
Isuru Fonseka
  • 601
  • 4
  • 15