Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Risk #80

Open
chtushar opened this issue Apr 19, 2020 · 3 comments
Open

Security Risk #80

chtushar opened this issue Apr 19, 2020 · 3 comments
Labels
in progress Under Development

Comments

@chtushar
Copy link

apiKey,
authDomain,
databaseURL,
projectId,
storageBucket,
messagingSenderId,
appId

are visible here.
Kindly fix this issue as it seems to be a High Security Risk. This information should be kept confidential.

Solution:

  • Create a separate file called firebaseConfig.js.
  • Add your details
const firebaseConfig = {
  apiKey: "Axxxxxxxxxxxxxxxxxxx",
 authDomain: "xxxxxx.firebaseapp.com",
 databaseURL: "https://xxxxxxxx.firebaseio.com",
 projectId: "xxxxxxxxx",
 storageBucket: "xxxxxxx.appspot.com",
 messagingSenderId: "xxxxxxxxxxx",
 appId: "1:xxxxxxxxx:web:xxxxxxx"
}

module.exports = firebaseConfig
  • Import file firebaseConfig.js in firebase.js
  • Add following line of code in .gitignore file in root directory.
    firebaseConfig.js
  • And Commit, issue will be solved!

Happy Hacking! :)
@aravindvnair99
Copy link

@chtushar This isn't a High-Security Risk. The configuration snippet just identifies a Firebase project on Google servers. In fact, it is necessary to include it for users to interact with a Firebase project. This same configuration data is also included in every web or iOS or Android app that uses Firebase as its backend. It's just publicly available data.

Please close this issue.

@agarwalbharat agarwalbharat mentioned this issue Mar 27, 2021
Merged
@agarwalbharat
Copy link
Member

Workin on it... as the concern is correct....

Already fixed for Aura Admin in gdg-x/aura-admin#66

@agarwalbharat agarwalbharat added the in progress Under Development label Mar 27, 2021
@agarwalbharat agarwalbharat reopened this Mar 27, 2021
@aravindvnair99
Copy link

aravindvnair99 commented Mar 27, 2021
edited
Loading

Workin on it... as the concern is correct....

Already fixed for Aura Admin in gdg-x/aura-admin#66

@bharatagsrwal That's not a valid security bug as I mentioned in #80 (comment). Could you please explain why it's a valid concern?

Appending /__/firebase/init.js to any Firebase domain will give you the config for that particular project. Such as for the PR you tagged, here it is: https://myaurapp.firebaseapp.com/__/firebase/init.js or https://auradmin.web.app/__/firebase/init.js

The configuration snippet just identifies a Firebase project on Google servers. It's just publicly available data.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in progress Under Development
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aravindvnair99 @chtushar @agarwalbharat