Is it safe to use Firestore and its features via client only?

Question

If I use the prod environment variables in my App and set the server side rules for Firestore, would my app be completely secure to perform CRUD and authentication? I am asking this because I have been seeing Angular tutorials by pretty famous YouTube content creators (Fireship) and they do not touch server side code and still show how to make a production applications. All the tutorials use only Angular and some libraries to produce the apps and features but then the console on Google says not to expose the API keys. Using only client side Angular even in production environment variables exposes the private keys right?

So in short, should I be using Node to CRUD and Auth with Firestore, or server-side rules on the console works safe?

See https://stackoverflow.com/a/37484053, https://stackoverflow.com/q/56718206, and many of the questions linked from there. — Frank van Puffelen, Jun 25 '19 at 13:47

score 3 · Accepted Answer · answered Jun 25 '19 at 05:17

The configuration that you use on the client to get it to communicate directly with Firebase services is does not include a private API key. Much has been said about this in various forums over the past few years. The thing you see that might be labeled an API key is actually public information. It helps the client library locate the project it's working against. The API keys you want to hide are those that exposed direct access to other billed services, including Google Cloud service accounts.

You limit access to Firebase backend services (Cloud Firestore, Realtime Database, Cloud Storage) using security rules to determine what a user can or can not do with the data stored in it. If you don't do this correctly, you could have problems.

Whether or not you want to let the client access the services directly or make the client go through some middleware you write should be decided by other reasons, as discussed in this article.

Hey, thank you so much for the comprehensive answer. It really helps and the article further clarifies the answer by giving the details. So, to sum up, it is indeed safe to use client side only for CRUD and Auth provided the server-side rules on the platform are set up correctly and best practices are used? Because the client being able to see all js is the main concern for my app. I do not want to risk my app since it is new startup. — Parth Agarwal, Jun 25 '19 at 06:10
It's as safe as your security rules allow. Client-only apps are very common. — Doug Stevenson, Jun 25 '19 at 06:18

Is it safe to use Firestore and its features via client only?

1 Answers1

Linked