Reputation: 8430
How to restrict API key if firebase don't have authentication?
I m creating an app using firebase. As in our app, there is no sign-in concept(users don't need to sign in to the application). so now I need to secure my firebase.
As the API key is publicly exposed, but we can still restrict that API key to some domain or some IP.
These API keys are auto-created by firebase.
Let's consider a web app, I choose the HTTP address and add my domain. It means that the key is bind to the domains which I have entered in the API and Services - Credentials Section.
In the real-time Firebase security rules.
{
/* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
"rules": {
".write": "auth!=null && auth.uid === 'my uid'"
".read": true
}
}
I just add the security for write but for app users(web, android, or ios) as there is no signing concept I set as true value.
But now the question arrives how can I make my firebase secure so that if any other app or web app using our firebase it should not return data. It will always throw forbidden or unauthorized err but not data as that unauthorized app or domain I haven't bind in mine keys
For this, I have restricted my API key,
For browser key, authorized domains added
For android key, authorized app(SHA and package added)
For the ios key, bundled ids are added.
But the restriction is not working for the API keys.
Although when I added authentication is read also, then API restriction working perfectly (But this still causing the problem as our app has millions of users, it says "The SMS quota for this project has been exceeded. Exceeded quota for verifying password")
So how should I restrict firebase to listen from our domain and our app only?
I even try sign-in in anonymously but it is not a solution as it creates millions of anonymous users which are not correct. Also, the Anonymous account has a 100 million limit.
Also go through App Check, different providers for different platforms but it also has quota limit so didn't check
Hope I m able to explain the question.
Any suggestions would be really helpful
Upvotes: 1
Views: 1328
Answers (1)
Reputation: 598740
What you're looking for is Firebase's new App Check feature, which protects your backend resources from abuse. For web apps App Check uses reCAPTCHA v3 to reduce the chances of abuse.
But I'd still recommend that you implement Authentication and security rules too. If you don't want to require that your users enter credentials, you can use Firebase's anonymous authentication to generate a unique UID for them. You can then check for that UID in your security rules, and still ensure that each user/device only accesses the data they're authorized for.
Upvotes: 2
Related Questions
- How to allow only my app to access firebase without a login?
- Firebase API key restrictions
- Firebase - restrict API key for web application
- API key not valid firebase auth
- Restricting Firebase API Keys
- Android Firebase Rest API Authentication
- Access data in Firebase from android only if user authenticated
- how to make authenticated requests to Firebase Realtime Database with api key
- Firebase - Prevent user authentication
- Android unique key for firebase realtime database / firebase authentication