Use Firebase in SPA project

Question

Use Firebase in SPA project

Asked 5 years, 9 months ago

Viewed 114 times

1

I need some help with good practice in using the Firebase on a project SPA, in my case the Angular.

I’m taking a development course with Angular 4 and in the topic regarding the use of Firebase as the back-end of the application the implementation of the authentication in the Angular. In the course is used the option "Add Firebase to your web application", which generates the code below.

  var config = {
    apiKey: "<api key>",
    authDomain: "<authDomain>",
    databaseURL: "<databaseURL>",
    projectId: "<projectId>",
    storageBucket: "<storegeBucket>",
    messagingSenderId: "<messagingSenderId>"
  };
  firebase.initializeApp(config);

How the application is SPA this data goes to the client. Is there no risk of someone capturing the data to develop a fake page and misuse the resources? How do I use Firebase in a project SPA? It is safe to use the client’s direct connection to Firebase or need to develop a middleware to mediate this communication?

Only you don’t put this data on github in a public repository for example. By angular be compiled the files generated by it already comes configured with the right keys without need

– Eduardo Vargas

2019/01/28 at 20:06
Eduardo. The compilation generated by Angular is not completely safe. Just do a more "malicious" analysis on the code generated by the build that we can extract the information chapadas in code.

– anderson macedo

2019/01/28 at 20:17

1 answer

Browser other questions tagged angular firebase

You are not signed in. Login or sign up in order to post.

by Rodolfo Patane • **319** points · Answer 1 · 2019-02-16T11:19:27+00:00

Good morning friend, firebase has this "opening" even, what you need to do is protect internally the data, the database, firestore and Storage, have security attached to the logged in user, so even with access to this data the attacker can do nothing, another form of additional protection is to lock in the firebase the Cors to only accept connections from your server, in the console has option of allowed domains, in the authentication part, and you can manipulate the Cors tbm by gsutil .

Attention to Leave the localhost free in authentication, because it allows a stranger with this access data to create a user, so security has to be on all sides, try to make the data accessible to the users individually, so each user has access only to the data relating to it, and the most sensitive data you can leave locked is only manipulate through functions.

I hope I’ve helped

Here are some links

https://youtu.be/rtoxRg-kbt0

https://youtu.be/b7PUm7LmAOw

https://youtu.be/qLrDWBKTUZo

https://youtu.be/oFlHzF5U-HA

https://youtu.be/eW5MdE3ZcAw