Reputation: 31
Is there a way to set up a server using firebase without storing the private key json file?
I am attempting to create an application with a unique architecture. There will be an android app, a server, and a desktop client. The catch is, the server will be locally hosted by users (following the mopity architecture on linux). That is, each user will locally host their own server that only they use, which they can turn off whenever not using the client/android app.
This application requires the server to be able to send information to the android application, and it appears the only real solution out there is firebase cloud messaging (though please correct me if there are good alternatives). The issue seems to be that firebase requires the server to store and give the path to the private key json file. Distributing this key to all users is obviously not safe. I was wondering if there is any better solution to this problem?
What I've tried:
I created an android application and used the android studio tools to add firebase to the project and create a firebase project in the console.
I then downloaded the private key from the console and used that in my server code
The app and server can communicate, but this architecture doesn't seem ideal from a security standpoint.
Server (C#) firebase connection code :
FirbaseApp FBApp = FirebaseApp.Create(new AppOptions()
{
Credential =
GoogleCredential.FromFile(
"/path/to/json/file/firebase-adminsdk*.json"),
});
I would really like to be able to maintain this architecture if possible, but please let me know if this just simply isn't possible.
Upvotes: 1
Views: 344
Answers (1)
Reputation: 598740
If you want the server to be able to access Firebase with administrative privileges, that server will need to have access to those credentials. This means it will have full access to everything in your Firebase project.
If you don't want the server to have such access, the server should never have access to those credentials.
The safe solution is to host the relevant functionality that you want the server to be able to call on a custom endpoint that you build, and that only you can deploy. This can either be in a server you control, or on something like Cloud Functions. The key here, is that only you (or your trusted collaborators) can access that server, so that others cannot take the keys from there, or change the code. This also allows you to tighten the authorization rules (e.g. who is allowed to send notification to whom) when needed.
Upvotes: 1
Related Questions
- Do I need to protect my firebase Server Key? Can I store it in the source code or is there a way to get it programatically?
- Send Firebase Cloud Messaging Notifications via App without exposing the Server Key
- using google firebase storage without authentication
- Can I initialize Firebase without using google-services.json?
- server authentication without credentials file
- Generate Server Key programmatically for Firebase
- Is a server required for Firebase Cloud Messaging?
- Firebase Cloud Messaging without google credentials
- Can Firebase be used without clients logging in?
- Firebase Cloud Messaging No Server Key