1

I was wondering how to to secure firebase auth. I plan on using firebase JUST for user authentication (not using firestore or realtime db). Since the API key is exposed on the client, my fear is that a malicious user can find the key and start using it inappropriately. So far I've done the following to try to improve security:

  1. Limit key use to a specific domain
  2. Restrict the key to only be able to use "Identity Toolkit API"

Is there anything else I should do here?

koji98
  • 35
  • 6
  • "using it inappropriately" What does inappropriate use mean to you? What risk are you trying to guard against? I'd also recommend checking the Firebase documentation on API keys here: https://firebase.google.com/docs/projects/api-keys – Frank van Puffelen Dec 05 '21 at 00:46
  • @FrankvanPuffelen By using inappropriately, I mean using it at all. My application should be the only one able to use my credentials to access the Firebase API. I fear that since the credentials are on the client, someone could check the Network tab on requests to get them, copy the key, project ID, etc., and then start attempting to make requests against my Firebase application. This is new territory for me since this is a client side service and I'm used to any authentication being serverside. – koji98 Dec 05 '21 at 04:36

1 Answers1

0

My application should be the only one able to use my credentials to access the Firebase API.

For any app where you access a cloud based API directly from within the client-side application code, that is going to be a myth. The closest you can get within Firebase these days is with App Check, but that isn't available for Authentication calls at the moment.

Part of the reason for this is that the authentication API is quite well protected on its own already, and most abuse will actually not affect you as a developer very much. E.g. (ignoring phone auth) there is no charge for account creation, sign in, and any other operations.

I highly recommend checking:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807