Reputation: 1
Why does my Firebase project work without specifying the apiKey?
I have set up a Firebase project that uses the Firestore database. i was given the following snippet to use it in my Javascript code:
// Your web app's Firebase configuration
var firebaseConfig = {
apiKey: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
authDomain: "xxxxxxxxxx.firebaseapp.com",
databaseURL: "https://xxxxxxxxxxxxx.firebaseio.com",
projectId: "xxxxxxxx",
storageBucket: "xxxxxxxxx.appspot.com",
messagingSenderId: "xxxxxxxxx",
appId: "1:xxxxxxxxxxxxxxxxxxxxxxxxxxx"
};
// Initialize Firebase
firebase.initializeApp(firebaseConfig);
All was working to that point. I then needed to ensure that only my domain could use the app, by setting up authorized domains on the firebase project, as well as on the apiKey in the "credentials" menu from the Google Cloud Platform project.
My project still worked to this point, but I noticed that it still worked from any domain. So the restriction was not working. Actually, with more testing, I found out that the apiKey was not even necessary for my project to work, and I can reduce the snipet to the following and things still work:
// Your web app's Firebase configuration
var firebaseConfig = {
projectId: "xxxxxxxx",
};
// Initialize Firebase
firebase.initializeApp(firebaseConfig);
So I am wondering: how can my project run and write in the Firestore database with only the projectId given? I am given a bunch of information in the snippet that is not even necessary.
Does anyone have an idea why this is happening to me? I tried to create a new project, following different tutorials again, with the same result. Actually, one of the tutorials I used has the same behaviour, as i can use this tutorial's project (it is actually online), just by specifying the projectId and I could make it's Firestoere quota run out by spamming it from my local server.
I can't find any information about a similar case to mine. Please help.
PS: here are my Firestore database rules, if it matters:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
Upvotes: 0
Views: 463
Answers (1)
Reputation: 317392
Every Firebase project is actually a Google Cloud project, and each cloud project has a unique ID. Since there can only be one Firestore instance per project, it's sufficient to use just the project ID to locate it.
Other values from the config file are used for other Firebase products. If you don't use those products, then you don't need them. Feel free to leave them out if that suits you. Bear in mind that you might run into problems in the future if you don't use the full configuration.
If you are concerned about the security of your Firestore instance, you should be using security rules to limit who can read and write what data. It's not possible to limit access to it based on the domain of your web app, or the location of the user. The rules you have right now allow anyone with an internet connection to create, modify, and delete any document in your Firestore instance. You might want to change that.
Upvotes: 1
Related Questions
- Firebase: Error (auth/invalid-api-key) with demo project
- Firebase SDK for Python: How to initialize App using apiKey?
- Why can't we connect to firestore on node.js server using just public apiKey
- Firebase - What is the API Key
- What keyFile key does google.auth.GoogleAuth() need?
- Problem with adding key to firestore documents
- Trying to make app secure with API key, but it isn't being used
- Firestore API key in an extension
- Can't fetch data through the key (Firestore)
- functions.config().firebase.apiKey is undefined