2

Im currently building an app, back-end and front-end and I use Firebase for saving pictures that the users can upload and download, up till now I've been uploading them from the front-end and if the upload is successful then I send the image link with the rest of the data to the back-end, but as Im saving firebase credentials (in order to connect) in the app, now Im questioning if it would be better/safer doing it all in the back-end, sending all the information (image included) and the let back-end upload the image to firebase. I don't how how secured are those credentials being of the app

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Andrew Alizaga
  • 124
  • 1
  • 12
  • Connecting to firebase on the frontend without any sort of authorization per user is equivalent to handing your data to any script-kiddie out there. – Seaskyways Jan 27 '19 at 12:59
  • Firebase is a backend solution, you should use the Firebase admin sdk to do all of that in your backend. – Levi Moreira Jan 27 '19 at 13:19
  • It's a bit unclear what you're asking, so I gave some broad description on how things work below. If that doesn't answer, please provide an example of one specific use-case and what your concern is. Just "safer" is unfortunately really broad, so hard to answer. – Frank van Puffelen Jan 27 '19 at 14:53

1 Answers1

15

I usually handle things in the front-end if the Firebase SDK has what I need. The only common reasons not to do this, is when there is a requirement to do them in the back-end. This is only common for operations that: require a lot of memory/CPU/bandwidth, require access to secret information (e.g. an API key for a payment gateway), or where the code itself is secret (e.g. detecting cheats in a game, or malicious messages in a chat app).

In your case for example, uploading directly from the front-end to Cloud Storage is a great reason to use the Firebase SDK. Doing so means that Firebase takes care of the encoding, of retrying, of security, and many other things. If you'd want to introduce your own server in the middle, you'll have to write the (client and server) code to handle all of that yourself.

Note that the keys that Firebase tells you to add to your app through the google-services.json are not credentials, but merely configuration data that the app needs to find your Firebase project on the servers. For more on this, see my answer here: Is it safe to expose Firebase apiKey to the public?

But that said, with the configuration data anybody can call Firebase API methods on your project. So you need to secure access in some way, to prevent other users from coming up with their own code that uses your project.

The common way to do this is by using Firebase Authentication on the client to sign the users of your app in. You'd then use the Firebase security rules to limit who can read/write what files in Cloud Storage.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • 1
    Google should put your explanation on their Get Started section. I'm new in this kind of application and until now I just wrote codes that read, save and delete and show data in user interface. As I see, none of them are running on the back-end. – Andre RB Nov 11 '20 at 02:19