0

I understand that Firebase is a nice solution with which we need not pay much attention to backend / serverside development.

But since all code is on client-side, (if we use javascript/html5 as client , it will be easy to be unpacked), how can we protect code in client side?

Because we have a standard server side (the Firebase Backend service), anyone who get our javascript/html client can simply edit URL of our client and release their own new client App.

is there any solution for that?

Jimmy
  • 23
  • 6
  • Firebase is a while suite of products, and how to secure them depends on what products you use. But I'd recommend reading https://stackoverflow.com/q/32403122, https://stackoverflow.com/q/45909313, https://stackoverflow.com/a/51239184, https://stackoverflow.com/a/37484053, https://stackoverflow.com/q/56483932, all of which cover aspects of how to properly secure a pure client-side application that talks directly to Firebase's back-end services. – Frank van Puffelen Mar 31 '20 at 13:31
  • @FrankvanPuffelen Thank you.I think you may misunderstand the question. I talk about source code security when using Firebase, not Firebase security. BTW I dont see any reason to CLOSE this question for 'need more focus'. – Jimmy Apr 01 '20 at 10:05

1 Answers1

1

You are right, it is totally possible to reverse engineer your front-end code. If some of your business logic should stay secret (aka your "secret sauce") the recommended approach in a Firebase project is to implement it in your back-end.

The most common/easy solution to do so is to use Cloud Functions because they take advantage of the serveless nature of the Firebase services and they are tightly integrated with the other services (Database, Cloud Storage, Auth, etc...).

Concretely you would write one or more Cloud Functions that you would trigger either directly from your front-end (See Callable Cloud Functions or HTTPS Cloud Functions, which can be seen as similar to REST API endpoints) or by a background event (e.g. new Document in Firestore, new file in Cloud Storage, etc.), or on a schedule way.

Another solution would be to implement this secret Business Logic in your own application server and expose APIs that you would call from your front-end. Your server could interact with the Firebase backend-s via the Admin SDK (available for Node.js, Java, Go, C# and Python).

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • Thank you! I think you mean "Server-less is not equal to Zero-backend-coding, back-end coding is a must when I want to protect the 'secret sauce' , – Jimmy Apr 01 '20 at 10:04
  • 1
    By serverless I mean that you don't need to setup and maintain your own server(s). A serverless architecture doesn’t mean there aren’t any servers: there is a Cloud provider allocating the server resources, but you don’t have to think about those servers and worry about server management. So it makes things much easier, compared to a solution based on your own servers. – Renaud Tarnec Apr 01 '20 at 12:28