0

I am using react-native and mysql.

firebase is only used for push notifications.

In the backend, i can hide the api key by using .env, but the problem is that the firebase api key is used in the front.

How can I hide the FIREBASE_API_KEY in this case?

Also, do I need to hide the firebase api?

this is my code

        const TextInput = ({hideTodoInput}) => {


          async function sendmessage() {
            const message = {
              to: fcmusertoken,
              notification: {
                title: `${me?.nickname}님이 댓글을 남기셨습니다`,
                body: commentText,
                sound: 'default',
              },
              priority: 'high',
            };
        
            const FIREBASE_API_KEY = 'firebase api key'   //how can i hide this firebase api key?

            let headers = new Headers({
              'Content-Type': 'application/json',
              Authorization: 'key=' + FIREBASE_API_KEY,
            });

            try {
              let response = await fetch('https://fcm.googleapis.com/fcm/send', {
                method: 'POST',
                headers,
                body: JSON.stringify(message),
              });
              response = await response.json();
            } catch (error) {

            }
          }

          return (
            <Input
              autoFocus={true}
              autoCapitalize="none"
              autoCorrect={false}
              placeholder="댓글달기"
              returnKeyType="done"
              value={commentText}
              onChange={onChangeCommentText}
              onSubmitEditing={() => {
                onSubmitComment();
                hideTodoInput();
              }}
            />
          );
        };
        export default TextInput;
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
user15322469
  • 841
  • 1
  • 8
  • 31
  • *firebaser here* Calls to the FCM REST API require that you specify the FCM *server** key in your code. As its name implies, this key should only be used in server-side code, or in an otherwise trusted environment. The reason for this is that anyone who has the FCM server key can send whatever message they want to all of your users. By using or including this key in your React Native app, a malicious user can find it and you're putting your users at risk. See https://stackoverflow.com/a/37993724 for a better solution. – Frank van Puffelen May 20 '21 at 14:25
  • @FrankvanPuffelen thank you for answer! how about fcm token? is it okay to expose fcm token in front? for example in redux store – user15322469 May 20 '21 at 16:00
  • The FCM token is generated for a specific app on a specific device. The user themselves will always be able to see it, and it's quite common to share it so that user's can send messages to others. You'll often want to establish some connection between the users who have those tokens though, like a mutual friend connection in the database. – Frank van Puffelen May 20 '21 at 16:47
  • @FrankvanPuffelen thank you for help!!!!! – user15322469 May 20 '21 at 17:08
  • You're welcome! – Frank van Puffelen May 20 '21 at 17:31

0 Answers0