Firebase security

3

I'm starting to study firebase, I really enjoyed the firebase database realtime for web, but one question that does not come out of my head is, how do I protect my account if the configuration data stays in js? type another malicious person can use believe the js code, or has no such ..

<script src="https://www.gstatic.com/firebasejs/3.6.6/firebase.js"></script><script>//InitializeFirebasevarconfig={apiKey:"E",
    authDomain: "",
    databaseURL: "",
    storageBucket: "",
    messagingSenderId: ""
  };
  firebase.initializeApp(config);
</script>
    
asked by anonymous 20.01.2017 / 14:51

2 answers

5

At the firebase console, the Authentication tab has the option of domains allowed to use Firebase .

By default, localhost and the domain of your project are already registered.

Take a look at this link:

Configure OAuth redirection domains in a web app link

Remember that: if you leave localhost , then someone with malicious intent can do something.

View a print from where you can configure:

    
25.01.2017 / 18:53
0

The allowed domains for authentication that Thiado Bocchile spoke, is only about Authentication , that is, in the case of frontend development with javascript, even if they do the download of your entire page will not be Authenticate through this page because it is not in an allowed place (if you removed the localhost of course) but that is not enough, as it is not possible to hide the firebase access data (even if you "hide" the server and search at runtime the access data for this search will be available in the js file) you need to protect the data and files through Authorizations to allow only Authenticated users to access the data, and only the data that each user has Authorization , otherwise, the "attacker" can for example access the data even without authentication, or with u (or as anonymous), security on the firebase only works by Authentication with Authorization , any oversight, and someone can read and delete all your data with 3 lines of code.

ps. even though I have said that "hiding" the data on the server does not solve it, it helps a bit, because it is more difficult for the attacker to know what he is looking for in his code, by default he is only looking for the word apiKey that he finds in the Minimized code all access information.

    
19.12.2017 / 17:13