BernabeFelix
commented
6 years ago It's really easy, you never request from the frontend
Closed paulsancer closed 6 years ago
BernabeFelix
commented
6 years ago It's really easy, you never request from the frontend
paulsancer
commented
6 years ago Umm, unless I didn't understand it good enough, that is how Firebase Auth works. There is the normal auth package and firebase-admin package. The first one is for client and the admin one is for backend to validate tokens generated by client. See https://firebase.google.com/docs/auth/#how_does_it_work for reference.
If we did make those requests from backend (that is how I started until notice the big wtf), every user would use the very same firebase auth, hence every request would be handled as if it was sent by the last user that logged in...
I think I told you this last Saturday but I see I didn't explain myself jaja.
paulsancer
commented
6 years ago I found that Firebase can restrict the domains that can actually send requests to the firebase app: https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification
paulsancer
commented
6 years ago We found out, there is no way around this and firebase database.
As this is client side code and settings, it can't use env vars (afaik).
I was thinking about requesting them to server, but it would be the same concern at the end of the day, because everyone should be able to send that request.