Firebase 身份验证我的变量安全吗? [英] Firebase Auth Are my variables secure/safe?
问题描述
我目前正在使用 heroku 来存储我的 firebase 身份验证初始化的环境变量.我正在使用我的服务器获取环境变量并使用 socket.io 将其发送到客户端.下面是我的意思.
I am currently using heroku to store my environmental variables for my firebase authentication initialisation. I am using my server to get the environmental variables and send it to the client using socket.io. Below is what I mean.
1) 从服务器向客户端发送环境变量的示例:
1) Example of sending environmental variable to client from server:
socket.emit('value', process.env.apiKey);
2) 将其作为 data[0] 存储在客户端:
2) storing it as data[0] in the client:
socket.on('value', function(data) {
firebase.initializeApp({
apiKey: data[0],
});
})这样安全吗?像这样保存在客户端的apiKey的值可以从客户端获取吗?
Is this safe? Can someone from the client retrieve the value of the apiKey if I save it like this on the client?
谢谢
推荐答案
如果数据是从客户端使用的,恶意用户可以从那里获取.像这里一样动态查找数据,只是增加了一个额外的步骤.
If the data is used from the client, it can be gotten from there by a malicious user. Looking up the data dynamically like you do here, merely adds an extra step.
但是您传递给 initializeApp 的数据是基本配置数据,它允许代码在服务器上找到您的 Firebase 项目.它不是秘密,也不是安全机制,可以安全地与您的用户共享.请在此处查看我的回答,了解为什么您不必尝试保护这些数据:向公众公开 Firebase apiKey 是否安全?
But the data that you pass to initializeApp is basic configuration data that allows the code to find your Firebase project on the servers. It is not a secret, it's not a security mechanism ,and it can be safely shared with your users. See my answer here, for why you don't have to try and secure this data: Is it safe to expose Firebase apiKey to the public?
这篇关于Firebase 身份验证我的变量安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
