Firebase Functions and API Keys

1
votes

Are Firebase functions a safe place to store API keys for a React App? As an example, see the following template for an axios API call in a Firebase Cloud function:

cloud function template

edit: added text code snippet. The question whether or not it is secure to store the API key directly in this snippet, given it's a firebase cloud function.

exports.getAlphaData = functions.https.onRequest((request, response) => {    

    const fetchAlphaData = async () => {        

        // Axios Call
        const result = await axios(
            'https://www.alphavantage.co/query?function=GLOBAL_QUOTE&symbol=SPY&XXXXXX',
        );

        // Expressjs Respond        
        response.send(result.data);

    };

    fetchAlphaData();

});

If this function were defined in the React App that would expose my API keys. React official docs among other sources say never use .env files for sensitive data, so I am setting aside that method for the keys as well. Where is the best place for a raw API key to actually reside within a full stack app?

2
javascriptreactjsfirebasegoogle-cloud-functions
On Stack Overflow, please don't show pictures of text and code. Copy the text into the question itself and format it so that it's easy to read, copy, and search. You can edit the question to correct this using the edit link at the bottom. - Doug Stevenson
Added as requested - Jacob

2 Answers

1
votes

Firebase can use Google Cloud Platform Services, you can integrate GCP Secret Manager on your functions with this service you can store your raw keys (these will be encrypted) and retrieved by your code function, this carries the benefit that you can restrict the access via Cloud IAM and service accounts.

This can help you to define which members of your projects or which service accounts can access to the API keys(secrets)

The permissions over the secrets can be configured so that even developers cannot see production environment keys, by assigning access permissions to secrets, but allowing that the function can get the secret (because the service account associated to your function can read the secret).

In this document you can find a code example about how to use GCP Secret Manager

0
votes

Yes, API keys are safe in Firebase Cloud Functions as this code is run on the server side and never showed to the users.

You could also store the keys in your DB (Firestore, Real Time DB) under strict access control and query it at runtime for the key, so that you then could even publish your code on GitHub and it wouldn't have the API key directly hardcoded in the code.