Home > Blockchain >  API key is revealed via request url, how to deal with it?
API key is revealed via request url, how to deal with it?

Time:12-09

I have seen a similar question like How to solve API key is visible on request URL problem?, but I don't think it's applicable to my use case.

I'm using Firebase authentication for my application (React app, served from NestJS back end) and notice one thing, it exposes Google Cloud API key via request URL. The current authentication flow is:

  1. Using OAuth2, the front-end makes a call to Google Identity Platform using Firebase SDK to retrieve login information (display name, ID token, etc.)
  2. The front-end makes a call to NestJS API to validate the login information using Firebase Admin SDK and create HTTP only cookie to preserve authentication state.

As far as I know, the React App requires access to API key so Firebase can be implemented. There is no way to bypass that requirement. Even if a key is hidden in .env file, the API key is still revealed via network tab. In some cases, let say if I forget to handle exception of a signInWithRedirect() (or any other Firebase functions), the error is raised (Uncaught Promise: requestUrl/apiKey="My Key") is shown in console, so it's even worse.

I'm not certain if I misunderstand something regarding the whole implementation and authentication flow. If it is, then please correct me on that. If not, please let know how to solve this issue.

CodePudding user response:

It appears in the case of Firebase, exposing API key is fine. However, this is only due to how Firebase works, not because exposing API key in general is safe. A more detailed discussion can be found here: Is it safe to expose Firebase apiKey to the public?

I'm using Google Identity Platform, not Firebase, but Google Identity Platform uses Firebase and Firebase Admin SDK too so I believe this is applicable.

This matter is also mentioned in official Firebase instruction video. Kudos to user usr28765526 for mentioning this.

  • Related