0

I am currently using heroku to store my environmental variables for my firebase authentication initialisation. I am using my server to get the environmental variables and send it to the client using socket.io. Below is what I mean.

1) Example of sending environmental variable to client from server:

socket.emit('value', process.env.apiKey);

2) storing it as data[0] in the client:

socket.on('value', function(data) {
firebase.initializeApp({
        apiKey: data[0],
});
})

Is this safe? Can someone from the client retrieve the value of the apiKey if I save it like this on the client?

Thanks

KneeHowMa
  • 19
  • 5
  • The data that you pass to `initializeApp` is basic configuration data. It is not secret, not a security mehcanism and can be safely shared with your users. See https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Frank van Puffelen May 24 '20 at 02:09
  • But my question was can people see this data value? – KneeHowMa May 24 '20 at 02:20
  • It the value exists in the client, malicious users can get at it. Not hard-coding the config inside the client merely adds one extra step. – Frank van Puffelen May 24 '20 at 02:30

1 Answers1

0

If the data is used from the client, it can be gotten from there by a malicious user. Looking up the data dynamically like you do here, merely adds an extra step.

But the data that you pass to initializeApp is basic configuration data that allows the code to find your Firebase project on the servers. It is not a secret, it's not a security mechanism ,and it can be safely shared with your users. See my answer here, for why you don't have to try and secure this data: Is it safe to expose Firebase apiKey to the public?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807