|
|
|
|
|
|
by c0smic
56 days ago
|
|
|
They've updated that documentation significantly since thousands of projects were issued automatically generated Firebase API keys, pre-Gemini. See this version from Oct 2022: https://web.archive.org/web/20221001052713/https://firebase.... Back then, they did not automatically restrict those keys to only Firebase-related APIs. So yes, if you read the documentation as it exists today it's much more clear what they're trying to prevent, but this is only after this issue has become more apparent. |
|
|
If that is the case, why is this also in the 2022 link?
The part about scoping links to the restrictions documentation.
"Understand API keys
API keys for Firebase services are not secret
Firebase uses API keys only to identify your app's Firebase project to Firebase services, and not to control access to database or Cloud Storage data, which is done using Firebase Security Rules. For this reason, you do not need to treat API keys for Firebase services as secrets, and you can safely embed them in client code. Learn more about API keys for Firebase.
Set up API key scoping
As an additional deterrent against an attacker attempting to use your API key to spoof requests, you can create API keys scoped to your app clients.
Keep FCM server keys secret
Unlike API keys for Firebase services, FCM server keys (used by the legacy FCM HTTP API) are sensitive and must be kept secret.
Keep service account keys secret
Also unlike API keys for Firebase services, service account private keys (used by the Admin SDK) are sensitive and must be kept secret. "