Firebase browser key API restrictions

16
votes

When creating a new project Firebase generates browser API keys automatically in the GCP API credentials. This is the same API key that is set in the Firebase Web client SDKs and is publicly available.

By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project. Surprisingly I have not found information about securing this key in the Firebase documentation.

So I took two extra steps to secure the key:

  1. Added HTTP referrer restriction to allow requests from my domain only.
  2. Added Identity Toolkit API to the list of allowed APIs. Experimentally I've figured out that it's enough for Firebase Auth and Firestore to work.
  3. Added Token Service API. This is needed for refresh tokens to work and keep the authentication.

My question is mostly related to points #2-3. What are the APIs that needs to be enabled for various components of Firebase to work on the web?

2
firebasefirebase-authenticationgoogle-cloud-firestore
I wonder if they do their own "restriction" magically in the background? Have you been able to use the public browser key to call other APIs, e.g. Google Maps geocoding?ahong
@ahong No they don't, yes I was able to use the public browser key to call other APIs.Pranaya

2 Answers

7
votes

I also enabled those same two APIs, but I used the Metrics Explorer to see what the various Firebase-created keys had been using based on actual traffic.

In GCP,

  • Go to Monitoring -> Metrics Explorer
  • Click 6W in the time range above the graph
  • Resource Type, start typing consumed_api and select it
  • Metric, choose Request Count
  • Group By, type credential_id, select it, then type service, and select it
  • Aggregator, select sum

By now, the legend for the graph should list all the credential ids and which services they used in the last 6 weeks. You should be able to figure out the APIs from the service.

You can use Filter to filter by credential_id if the results are too noisy.

1
votes

By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project.

This is indeed possible and I am able to make e. g. Google Maps API call with the auto generated Firebase API key.

Such preconfigured behaviour was certainly unexpected and I am now experimenting with the restrictions as per the extra steps described in the original question.