3

If I am using Firebase & Firestore with an Angular web app, how do I restrict access to my Firebase resources so that they’re not able to be accessed from outside of my Angular application?

The primary vulnerability would seem to be that my Firebase config is exposed in the Angular code. I want to eliminate the ability for a malicious developer to take this config and develop some bot or hack app.

user3653771
  • 107
  • 5
  • Well, Firebase will need that config, it pretty much only contain details about your application, but is not a vulnerability per se. Probably you should have a look at the accepted answer of this question https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – aslary Apr 10 '20 at 22:11
  • Thank you for your response. I have read through that question and many like it, but it seems the vulnerability I'm highlighted is being overlooked. Sure, I can require that the user authenticates before they can interact with my Firebase resources. But if I'm creating a public social network, anyone can create an account, and everyone has access to my Firebase config. What's stopping someone from using my config in their own app, authenticating with an account they created through my app, then writing to or reading from my database with free range? – user3653771 Apr 13 '20 at 22:33

1 Answers1

1

You might want to create a kind of layer in between (e. g. a REST API), where the config is only stored on your server. Thus, the clients then will only have access to that REST API, so there is no chance to see what's inside your configuration!


The docs state that there are many bindings of Firebase for several languages, such as:

  • Java/Kotlin
  • Swift/Obj-C
  • C++
  • JavaScript

For more details, have a look at here.


Also, I think this REST layer I came up with does not seem to be an awkward or uncommon thing, since there is a very good article here on the official docs.


So to conclude, your best bet would be to really build your own REST API. You will most likely still get notified on your server by Firebase, if e. g. an event happens, however, notifying the clients will not be done by Firebase anymore, but by your server (this could be achieved using WebSockets for example).

These are just ideas, so I am not very sure. Maybe Firebase could still notify your clients and you won't need any WebSockets.

On the framework side of things you have many options. The only thing that really matters, is that the core language of the framework is indeed a supported language of the many Firebase implementations (Java, JS, Kotlin, C++, Swift, ...).

I would suggest you to have a look at the below standards and frameworks, and choose the one you like best:

  • Node.js/Express.js
  • Spring Boot (or Spring MVC if you are not into auto-config)
  • JAX-RS (JavaEE standard)

Edit: However

I think building a REST API just to overcome possible security issues seems like doing everything twice (Creating REST resources, just to call another Google API). I don't want to advise against Firebase, since the event driven architecture is very hot, but if you are building an API, then probably creating your own database instance (NoSQL for your case of a social network seems more appropriate) would be somewhat more reasonable. But again, I am only sharing my thoughts :)

aslary
  • 383
  • 1
  • 11