隐藏第三方API密钥与Firebase [英] Hide 3rd party API-key with firebase

问题描述

我在Firebase中建立一个网站。这是一个简单的查找服务，它只有一个输入元素，可以将请求发送给第三方api。

www.3rdparty.com/api/ [myapikey] / method

问题是，我被限制为每秒x个请求，我无法向用户公开我的api-key。

我的任务最终是将响应存储在firebase中，这样我就可以限制到达第三方的请求的数量（一个缓存函数）

解决方案

由于您不能将API密钥放在客户端代码中，您必须在服务器上运行它。在Firebase体系结构中使用服务器端代码时，这是一种非常常见的情况：代码需要访问常见客户端无法信任的一些信息。它在我们的

这种架构的一个例子就是客户端为服务器放置任务。您可以让一个或多个服务器在有可用资源时从队列中选取项目，然后将结果放回到Firebase数据库中，以便客户端可以读取它们。

Im building a website in firebase. It's a simple look-up service which only has an input element that fires a request to a 3rd party api.

www.3rdparty.com/api/[myapikey]/method

The problem is that I'm limited to x requests per second and I can't expose my api-key to the users.

My mission eventually is to store the responses in firebase so that I can limit the number of requests that reach the 3rd party (a cache function)

解决方案

Putting such an API key into the client-side code of your application introduces the risk of malicious users taking your key and using it to their own purposes. There is nothing you can do about that, except for simply not including the API key into the client-side code. This applies equally to Android and iOS code btw.

Since you can't put the API key in client-side code, you'll have to run it on a server. This is a quite common scenario for using server-side code within a Firebase architecture: the code needs access to some information that common clients cannot be trusted with. It is covered by pattern 2 in our blog post on common Firebase application architectures.

From that blog post:

An example of such an architecture in action would be clients placing tasks for the server to process in a queue. You can have one or more servers picking off items from the queue whenever they have resources available, and then place the result back into your Firebase database so the clients can read them.

这篇关于隐藏第三方API密钥与Firebase的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！