Firebase firestore app - Is it good practice using web calls? Can exposing the apiKey allow someone to let you have extra bills?

Question

I'm developing a web app which relies on realtime sync through Firebase firestore in Cordova.

I tried to use one specific plugin without success.

I ended up using just web calls like this:

index.html

I loaded

https://www.gstatic.com/firebasejs/5.8.0/firebase-app.js

https://www.gstatic.com/firebasejs/5.8.0/firebase-firestore.js

and I added to head

<meta http-equiv="Content-Security-Policy" content="
    default-src 'self' *.googleapis.com data: gap:
        https://ssl.gstatic.com;
    script-src 'self' 'unsafe-inline' 'unsafe-eval'
        https://*.gstatic.com https://*.googleapis.com;
    style-src 'self' 'unsafe-inline';
    media-src *;
    connect-src *
">

index.js

firebase.initializeApp({
     apiKey: 'my_api_key',
     authDomain: 'localhost',
     projectId: 'my_projectid'
});

var db = firebase.firestore();     

function loadMessages() {
    var query = firebase.firestore()
                    .collection('my_collection');

    // Start listening to the query.
    query.onSnapshot(function(snapshot) {
        snapshot.docChanges().forEach(function(change) {
            if (change.type === 'removed') {
                console.log("deleted"+change.doc.id);
            } else {
                var message = change.doc.data();

                //change color and text
                console.log(change.doc.id+": "+message.status);
                }
            }
        });
    });
}

// We load currently existing chat messages and listen to new ones.
loadMessages();

it works but I'm wondering if there is there any security risk in this approach?

Especially because api_key remains exposed...

EDIT

As metioned in the bottom comments of:

Is it safe to expose Firebase apiKey to the public?

How can I prevent my apikey to be used by someone else and then getting billed by Google for the calls I did not generate? Is there a way to allow calls only from my app "com.example.app" ?

Thanks

The API key that you pass to `firebase.initializeApp({...})` is configuration data that is needed to find your Firebase project on the servers. It is not an authorization mechanism. See https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public — Frank van Puffelen, Feb 24 '19 at 15:39
Thanks Frank, that's useful. Anyway, how can I prevent someone use my apikey and generates traffic on my account? — lui, Feb 25 '19 at 13:52
As mentioned here: https://stackoverflow.com/a/35419194 and in many other places, you do that by writing security rules for your use case. Since those are enforced server-side, they're the only secure way to ensure all data access is authorized. — Frank van Puffelen, Feb 25 '19 at 15:14
Ok, but what is a rule that allows only my app to read the data while permitting everyone that has the app to read the data? — lui, Feb 25 '19 at 17:54
There isn't such a rule. "Your app" is not a thing that can be uniquely identified, since anyone who has access to your app, can impersonate it. That's why Firebase security is done through identifying the user (known as authentication), and securing based on that (known as authorization). — Frank van Puffelen, Feb 25 '19 at 18:42
Also see https://stackoverflow.com/q/51727681, https://stackoverflow.com/a/23172957, https://stackoverflow.com/a/18007760. They all boil down to the same though: you can't limit access to just "your app", so you will have to secure in another way (typically by authenticating the user in some way, and then ensuring all data access is authorized based on that). — Frank van Puffelen, Feb 25 '19 at 18:53
I had the impression you could limit Firebase/Firestore access by app but you have to use the json files created with Firestore projects (and not the web api_key). Is that correct? — lui, Feb 25 '19 at 18:55

Firebase firestore app - Is it good practice using web calls? Can exposing the apiKey allow someone to let you have extra bills?

0 Answers0