Securing Firebase API keys?

Does the Firebase integration with AppGyver require separate security to hide Firebase API keys?

I’ve yet to be able to find docs or similar questions regarding general security within AppGyver when it comes to the Firebase integration. I understand the Firebase security rules but is this enough to keep someone from being able to find my Firebase API keys in my build?

In the docs regarding API security it mentions that the best way to connect to an API is to set up a backend middleware that handles authentication. Is this what other people who are connecting backends, whether they’re Firebase or not, are doing in order to secure their apps?

Hi Alex,
you need to take care of your database by establishing the security rules; not trying to hide the API-key.

Have a look on the official firebase docs (Узнайте об использовании и управлении ключами API для Firebase):

  • Secure your database and Cloud Storage data by using Firebase Security Rules , not by restricting and/or obscuring your API keys”

I store my keys in my Firebase database and read them dynamically into an App variable during run-time. This way they are not stored in the build anywhere.

1 Like

Ahh, ok. Thanks for letting me know. I kept seeing people say that API keys will be exposed in the build and anyone could get at them and that this was bad practice. I didn’t realize that this was ok as long as you have security rules in place.

Thank you for letting me know!

Right, it’s bad practice to hard code the key in a Set App Variable or Set Page Variable function. I just read the key in from a database record, that way if the key were to ever need changing I can just change it in the database without requiring a new app build.

Got it. Thanks for the help!

Hi John, the keys are still available in browser network traffic with all info - even keys - Is it possible to hide, unless you use a proxy? I can view all my Firebase request and responses in the browser console even though I applied rules to restrict it to authenticated users. The refresh tokens expires in 1 hr but still its vulnerable.

It would be ideal if there was a way to encrypt/decrypt those keys coming across the network. I mainly just keep my server key stored on the database because I can auth-protect access to that database as needed, but also if the key needed to be changed, or did get compromised, then I could change it easily without needing to publish a new app build. Still, there is the issue of an un-encrypted server key coming across the network which is worrisome.

Absolutely. For any serious production app, a decent backend is needed between Firebase and Appgyver - mainly to manage security. Otherwise it’s way too risky.

I’m exploring a proxy server to hide the URL s and creds.

Hi @Kaushik_Bhattacharya ,

Did you manage to find a reliable solution for this?

1 Like

I’m currently conducting a bit of a convoluted backend experiment that may have some relevance to this discussion. I’ve been looking through Google’s docs on token security and they seem to suggest that best practices involve storing any api keys that are used to authorize a backend function for a web app externally to the source directory of the application. If I’m reading it correctly, the following excerpt from the custom component properties menu may hold some kind of answer for us.

Private variables

Private variables are only usable in component template editor. They can be used to write and read data throughout the component’s internal lifecycle, without making that data available from the “outside” when using the component in an app.

Private variables can be set with the Set private variable flow function in component template editor."

I’m still playing with it to see if I can get one of these variables to occupy an http header instead of a UI component property, but I may be entirely off base here and require clarification. Any feedback would be greatly appreciated.

What about the firebase connector? The fields ask for the API key. I can right click and inspect an appgyver web app and see all of this info.