3

I have created simple firebase chat system using pure javascript , Everything is working fine , But I have below code in javascript open to everyone.

  var config = {
    apiKey: "AIzaSyD0Bm91234567678srKwjUGrpu35dgIIE",
    authDomain: "example-26847.firebaseapp.com",
    databaseURL: "https://example-26847.firebaseio.com",
    projectId: "example-26847",
    storageBucket: "example-26847.appspot.com",
    messagingSenderId: "937123954572"
  };

But I feel like this is vulnerable to hacking , How do i protect it , I have only php web server.

Ajay Websitica
  • 47
  • 1

2 Answers2

2

You don't have much choice.

Accessing it via JS

You actually need those keys in your javascript based app, so they will be in it one way or another. I don't think it expose much risk, you can still add some rules to only let read/write access to firestore based on apikeys/tokens you'll generate.
Another solution would be to get those ids from your server via an ajax/XHR request & store them locally in some private browser based storage.

VCS

Keeping those ids locally wihtout being commited to a VCS is easy (.gitignore for example with a .example)

Also, you don't need all of them, storageBucket only for storing file in GCP Storage, messagingSenderId for push notification.

Hugo Gresse
  • 17,195
  • 9
  • 77
  • 119
0

Well, the easy answer is to simply store the API key in your environment variable on the PHP server. You can access these variables using the $_SERVER and $_ENV arrays.

Ref: http://php.net/manual/en/reserved.variables.environment.php

Either use php.ini file and add the API key variable to the php.ini file or use the user.ini file, if you don't have access to php.ini file.

Besides storing API keys is a risk, especially if you are storing your code in the Github or some code repository like it.

Ref: http://php.net/manual/en/configuration.file.per-user.php

Ref: http://php.net/manual/en/configuration.file.php

You can use getenv() to retrieve the API key variable. Ref: GetEnv

You can go a step further and restrict the usage of this API key to your domain name from the google firebase console.

Magnus Melwin
  • 1,509
  • 1
  • 21
  • 32
  • Hi , Even if have saved in $_SERVER , I have to echo $_SERVER to webpage and it will be visible to users right , correct me if i am wrong , Is there anyway to authenticate in php and just echo token or something.and connect to js. – Ajay Websitica Mar 21 '19 at 09:42
  • No, as long as you are using https mode - there should not be a security issue here. Use getenv to retrieve the variable. – Magnus Melwin Mar 21 '19 at 09:44
  • In fact, storing the variables in the manner you have done is a security risk. Been working in firebase myself, this is the recommended method to do so. – Magnus Melwin Mar 21 '19 at 09:50