When creating a new project Firebase generates browser API keys automatically in the GCP API credentials . This is the same API key that is set in the Firebase Web client SDKs and is publicly available. By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project. Surprisingly I have not found information about securing this key in the Firebase documentation. So I took two extra steps to secure the key: Added HTTP referrer restriction to allow requests from my domain only. Added Identity Toolkit API to the list of allowed APIs. Experimentally I've figured out that it's enough for Firebase Auth and Firestore to work. Added Token Service API . This is needed for refresh tokens to work and keep the authentication. My question is mostly related to points #2-3. What are the APIs that needs to be enabled for various components of Firebase to work on the web?

firebasefirebase-authenticationgoogle-cloud-firestore

Reputation: 333

Firebase browser key API restrictions

When creating a new project Firebase generates browser API keys automatically in the GCP API credentials. This is the same API key that is set in the Firebase Web client SDKs and is publicly available.

By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project. Surprisingly I have not found information about securing this key in the Firebase documentation.

So I took two extra steps to secure the key:

Added HTTP referrer restriction to allow requests from my domain only.
Added Identity Toolkit API to the list of allowed APIs. Experimentally I've figured out that it's enough for Firebase Auth and Firestore to work.
Added Token Service API. This is needed for refresh tokens to work and keep the authentication.

My question is mostly related to points #2-3. What are the APIs that needs to be enabled for various components of Firebase to work on the web?

Upvotes: 20

Answers (2)

dmudro

Reputation: 3104

By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project.

This is indeed possible and I am able to make e. g. Google Maps API call with the auto generated Firebase API key.

Such preconfigured behaviour was certainly unexpected and I am now experimenting with the restrictions as per the extra steps described in the original question.

Upvotes: 2

CharlieNoTomatoes

Reputation: 521

I also enabled those same two APIs, but I used the Metrics Explorer to see what the various Firebase-created keys had been using based on actual traffic.

In GCP,

Go to Monitoring -> Metrics Explorer
Click 6W in the time range above the graph
Resource Type, start typing consumed_api and select it
Metric, choose Request Count
Group By, type credential_id, select it, then type service, and select it
Aggregator, select sum

By now, the legend for the graph should list all the credential ids and which services they used in the last 6 weeks. You should be able to figure out the APIs from the service.

You can use Filter to filter by credential_id if the results are too noisy.

Upvotes: 9

Firebase browser key API restrictions

Answers (2)

Related Questions