1

Services like Google Firebase allow registering a frontend Web App within their system and issue some access credentials to put directly into your frontend JS code. Since those access credentials are put on the frontend, anyone can potentially 'steal' them and they are considered public.

var firebaseConfig = {
  apiKey: "api-key",
  authDomain: "project-id.firebaseapp.com",
  databaseURL: "https://project-id.firebaseio.com",
  projectId: "project-id",
  storageBucket: "project-id.appspot.com",
  messagingSenderId: "sender-id",
  appID: "app-id",
};

Since this is basically public data, how does Firebase securely distinguishes whether the application is actually yours (registered one) or someone else just copied those credentials into their own app?

And in case any app having this data can access your firebase project - what's the point of even having an apiKey in the first place. I'm sure there is some. Trying to understand how such systems work from security perspective.

The main question I have is: is there a secure way to grant API access to third-party frontend apps that are registered with the system (e.g. paid to get access to your API) without their own backend involvement?

Daniil Andreyevich Baunov
  • 2,723
  • 1
  • 24
  • 48
  • 1
    What you showed are **not** credentials, but merely configuration data that is necessary to find your project on the servers. See my answer here: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public Firebase doesn't distinguish on an application level, since it doesn't really matter who wrote the code. It instead allows you to lock down access to its serviced based on *who* accesses them (the Firebase Authentication user signed into the app), and on *what* they can do with it (i.e. what data is valid in the database). – Frank van Puffelen Aug 15 '19 at 21:55
  • Thanks, @FrankvanPuffelen for explanation. I guess firebase example was not very suitable here in this case. The main question still remains though.. Are there any secure ways to limit access to an API to specific frontend apps/domains? – Daniil Andreyevich Baunov Aug 16 '19 at 09:01
  • That depends on the API. Firebase Authentication allows you to set a list of authorized domains. – Frank van Puffelen Aug 16 '19 at 13:31

0 Answers0