Firebase - browser js vs node js

Question

I'm a Android developer and have already worked with firebase, but as soon as I wanted to use it on a web app, I got confused, I wanted to use node.js since I know the main langage supported by firebase for web development is Javascript.

I got confused as I saw that some features on firebase (like firebase storage) wasn't supported on node.js, but was supported on what they called the "web", I think that confusion is coming from the fact that I'm not a web developper, but I'm not able to make the difference between brower js and node.js with firebase.

If I use browser js, is it okay to leak my firebase config? Or should I work with node.js and leave the config on the server-side?

You might see that I'm a bit lost with how I should use firebase to build a web app. I'd love to have some advice about all that.

Answer 1

JavaScript is the lingua franca of web development, and it can run in many places.

For web projects using Firebase, most of the JavaScript code runs in the browser, and uses the Firebase JavaScript/Web SDKs.

The second most common place to run JavaScript code is in trusted environments, such as your development machine, a server you control, or Cloud Functions, using the Firebase Admin SDK for Node.js.

To the first type of code runs in the user's browser, while the second type of code runs in an environment you can trust.

For code that runs in the user's browser, you don't ever want to trust that the code they run is the code that you wrote. But the same applies to your current Android apps too: a malicious user can get the configuration data for Firebase from your APK file, and then use the same configuration with code that they wrote.

That's why to protect access to data you store in Firebase, you'll use it's [server-side security rules], instead of trusting the code. These rules are part of the business logic of your app, in the same way that your code is. Once you've written good rules, it protects the data in your project, no matter what code is trying to access it. And that's also the reason why it's not a security risk to have your configuration data in the client-side JavaScript for you web project, or in the Android app for that matter.

Also see:

• The documentation on adding Firebase to a client-side web project.
• The documentation on adding Firebase to a server, such as one that runs JavaScript code in Node.js.
• Is it safe to expose Firebase apiKey to the public?
• The documentation on server-side security rules.