9

I am using different third party API keys in my reactjs-firestore project. But I can't find a way to secure them in firebase hosting. How can I hide these API keys in firebase hosting?

For example, in Netlify hosting services they provide environment variables feature which can be used to secure the API keys.

that is I can just store the API keys in the variables in netlify and it will be retrieved from there which will be secured.

But in firebase how do I do this?

I can't seem to find a similar setting wherein I can store the keys as environment variables in the hosting services.

if there is no such feature is there another way to secure these API keys?

and for the firebase API keys, I have already read some answers and understood that firebase API keys will not be hidden.

is there at least some way to secure these firebase API keys to just one secured URL at least? (I know that writing security rules is the best approach but am trying to find other options as well).

I can't seem to find a way to secure firebase project API key usage to one secured URL.

I have tried to find ways to secure the API key but I haven't been successful.

below is how I retrieve data in reactjs code


axios.post(`https://data.retrieval.com/1/data?key=API_KEY`,  data)

I am trying to hide the API_KEY in the production code

I want to secure third party API keys in my hosted website. and also restrict my firebase project API key to just one secure URL. am not able to do this now. any suggestions or solutions?

Thank you for trying to help. and thank you for your time

Improve this question

3 Answers 3

Reset to default
6

If you're using the API key in client-side code, there is always the chance that a malicious user can find the key and abuse it. The only way to protect against this is to not use the API key in client-side code, or to have a backend system that can protect access based on something else (such as Firebase's server-side security rules).

Since your backend system likely doesn't have such a security model, you'll typically have to wrap their API in your own middleware that you host in a trusted environment such a server you control, or Cloud Functions. That's then where you ensure all access to the API is authorized, for example by setting up your own security system.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

5

Not sure if this help, but my Firebase Cloud Function use this.

  1. Create your secret by

firebase functions:config:set secret.API_KEY="THE API KEY"

  1. Access your secret by using functions.config().secret.API_KEY

Note: This should only use for server use case, not in the client code. For server I meant Firebase Cloud Function or your backend.

Improve this answer

2 Comments

but I need to use the variable in client-side code. the project is a react-redux-firestore project and I am calling the data from a certain page using Axios.
Thank you very much Liem for trying to help.
3

The safe way I've found to store your third-party keys is using the Google Secrets Manager. It is now baked into the Firebase Functions SDK and works very well. You can find the information here, under the section titled "Store and access sensitive configuration information".

Two things worth mentioning:

There is a small bug in the syntax example, they forgot to add the https before onCall.

You'll need to give the service account which runs the cloud function when deployed access to the secrets. Here are the official docs on how to do that. If you are deploying through Firebase, you'll want to look for the service account whose address is [project-name]@appspot.gserviceaccount.com. If you have any doubts about which service account is running the Cloud Function, look under the Details tab in the Cloud Functions section of Google Cloud Platform and it will show you that information. Also, under the Variables tab, you can see what secrets your Cloud Function has access to.

This process makes it really easy to manage third-party keys as you can manage them at your project level and not have to worry about them being stored else where or needing to manage .env files. It also works with the Firebase Emulators and uses the credentials of the user running the emulators for access.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.