Use Firebase in SPA project
I need help with good practices in using Firebasein a project SPA, in my case Angular.
I am doing a development course with Angular 4and in the topic regarding the use of Firebase as the backend of the application is made the implementation of authentication in the console of Angular. The course uses the "Add Firebase to your Web application" option, which generates the code below.
var config = {
apiKey: "<api key>",
authDomain: "<authDomain>",
databaseURL: "<databaseURL>",
projectId: "<projectId>",
storageBucket: "<storegeBucket>",
messagingSenderId: "<messagingSenderId>"
};
firebase.initializeApp(config);
As the application is SPA this data goes to the client. Isn't there a risk that someone will capture the data to develop a fake page and misuse the resources? How do I use Firebase in a SPA project? Is it safe to use the client's direct connection to Firebase or do I need to develop a middleware to mediate this communication?
1 answers
Good Morning friend, firebase has this "opening" same, what you need to do is internally protect the data, the database, the firestore and storage, have security attached to the logged in user, so even with access to this data the attacker can do nothing, another form of additional protection is to lock firebase the cors to only accept connections from your server, in the console has option of allowed domains, in the authentication part, and vc gsutil .
Attention when leaving the localhost released on authentication, as it allows a stranger with this access data create a user, so Security has to be on all sides, try to leave the data accessible to users individually, so each user has access only to the data relating to it, and the most sensitive data vc can leave locked is only manipulate through functions.
Hope I helped
Follow some links