Search code examples
reactjsfirebasereact-nativesecurityfirebase-security

Firebase security questions

I don't understand how Firebase security work

Hello there, I'm working on a React Native project using Firebase backend. I've finished it, and before uploading it to the app store, I wanted to review the security aspects, but there are a few things I don't understand.

1-If I store the Firebase keys in a .env file, won't they be visible to someone who downloads the application?

2-I'm using Cloud Functions to access the database. How can I prevent the HTTP request link from being visible and ensure that anyone can't make requests with the address?

3-Is it necessary to implement the authentication system from the client side? Or can I do it solely from cloud functions? I ask this because that way I wouldn't need to expose my Firebase keys in my client.

4- I hardly understand anything about cybersecurity and what attackers can or cannot do to my application if I publish it. If someone could send me a helpful video or post, I would appreciate it.

thanks.

Solution

  • If I store the Firebase keys in a .env file, won't they be visible to someone who downloads the application?

    Yes, but the firebase keys are meant to be public. Security comes through a few different things:

    1. Firestore, Realtime DB and Storage can have rules which restrict who is allowed to read/write which properties from the front end. Your back end code can read/write everything, so if there's a case too complicated to encode in the rules, you can set the rules to deny permission, and gate access behind a firebase function.
    2. If you want, you can have users log in with firebase auth. You can then check their authentication status in a firebase function, or in the rules mentioned above.
    3. App check can restrict access to calls made from a specific app or specific url. This can be used for functions, storage, and both databases.

    How can I prevent the HTTP request link from being visible

    It's going to be visible in the sense that someone can probably figure out what url you're hitting and can attempt to send their own POST to that url, but you can use #2 and/or #3 to deny access.

    Is it necessary to implement the authentication system from the client side?

    Not always. If everyone is going to have access to exactly the same things then you don't need it. But if you want some people to have access which other people do not, you'll need them to sign in.