Reputation: 45
Firestore API key in an extension
I'm making a Chrome extension.
The extension creates a unique code that corresponds with an url that the user provides.
I write this url and the uID to my Firestore database.
var url = document.getElementById("url").value;
var uID = randomID();
db.collection("links").doc(uID).set({
url: url
})
But now everyone that has my API key (that is stored in a plain JS file) can write to the database, and I need the extension to be able to write to the database.
Is there a way of securing the database for a Chrome extension?
Upvotes: 1
Views: 855
Answers (1)
Reputation: 9567
There are several ways to secure your database. First you should make your plugin require some form of authentication to Firebase/Firestore.
https://firebase.google.com/docs/auth/web/start
That would make your plugin users not connect anonymously. Then you can apply rules to your Firestore to protect data where needed.
If you use the chrome identity API you may be able to lift on the Google ID of your users. Here is what seems like a solid example extension showing off the process.
https://github.com/firebase/quickstart-js/tree/master/auth/chromextension
At our work make use of the custom token functionality Firebase offers so we can use our own identity provider, which works great too, if you need it.
Stick to the docs, they do explain it fairly well.
Upvotes: 2
Related Questions
- Creating key in firestore
- Connect a Manifest Version 3 Chrome Extension to a firestore database
- Firestore get doc without knowing the key
- Problem with adding key to firestore documents
- Why does my Firebase project work without specifying the apiKey?
- Use Firebase for Chrome Extension authentication
- firestore api for browser and node
- Firebase api key restriction allow chrome extension
- How to get an existing Doc key in Firestore JS?
- firebase in chrome extension