CODEWITHSUNDEEP
angularfirebasegoogle-cloud-firestorefirebase-securitymbaas
user3653771
user3653771

Reputation: 107

How to handle google firebase web app security?

If I am using Firebase & Firestore with an Angular web app, how do I restrict access to my Firebase resources so that they’re not able to be accessed from outside of my Angular application?

The primary vulnerability would seem to be that my Firebase config is exposed in the Angular code. I want to eliminate the ability for a malicious developer to take this config and develop some bot or hack app.

Upvotes: 3

Views: 655

Answers (1)

aslary
aslary

Reputation: 411

You might want to create a kind of layer in between (e. g. a REST API), where the config is only stored on your server. Thus, the clients then will only have access to that REST API, so there is no chance to see what's inside your configuration!

The docs state that there are many bindings of Firebase for several languages, such as:

  • Java/Kotlin
  • Swift/Obj-C
  • C++
  • JavaScript

For more details, have a look at here.

Also, I think this REST layer I came up with does not seem to be an awkward or uncommon thing, since there is a very good article here on the official docs.

So to conclude, your best bet would be to really build your own REST API. You will most likely still get notified on your server by Firebase, if e. g. an event happens, however, notifying the clients will not be done by Firebase anymore, but by your server (this could be achieved using WebSockets for example).

These are just ideas, so I am not very sure. Maybe Firebase could still notify your clients and you won't need any WebSockets.

On the framework side of things you have many options. The only thing that really matters, is that the core language of the framework is indeed a supported language of the many Firebase implementations (Java, JS, Kotlin, C++, Swift, ...).

I would suggest you to have a look at the below standards and frameworks, and choose the one you like best:

  • Node.js/Express.js
  • Spring Boot (or Spring MVC if you are not into auto-config)
  • JAX-RS (JavaEE standard)

Edit: However

I think building a REST API just to overcome possible security issues seems like doing everything twice (Creating REST resources, just to call another Google API). I don't want to advise against Firebase, since the event driven architecture is very hot, but if you are building an API, then probably creating your own database instance (NoSQL for your case of a social network seems more appropriate) would be somewhat more reasonable. But again, I am only sharing my thoughts :)

Upvotes: 1

Related Questions