@Kirill_Leventcov Is it normal the API key appears appended to the request URL in the Chrome dev tool when this built-in function is fired?
Should this function be used only after the user logs in, or is it something you need to fix?
Pretty disappointing that no one picks up on this important security question.
This is what the dev tool shows when get current user (firebase auth) is fired:
Is it normal - and if so, that means this function should be used only after user is logged in?
If not, can this be fixed since this is a built-in funuction (I thought these functions were secureβ¦)?
Hi,
Yes, this is how this particular Google API endpoint works:
that means this function should be used only after user is logged in?
Yes, since by definition, there is no user until they log in.
1 Like
Thank you for reassuring us and for the clarification.
1 Like