Prevent anyone from being able to read/write to the database
The API key is not meant to be hidden on web (see here), and is exposed on clientside code. Assume that any user can gain access to the API key. Firebase rules (ex. firestore rules, storage rules) prevent malicious use. However the rules must be good enough:
if request.auth.id != null is not good enough, as a malicious user can use SDK to create an account for themselves with our API key. Many of our logins are restricted
the above may also be why anonymous authentication does not work
Applies to all repos
Will need to be more robust if going with dscgt/route_recorder#22
Prevent anyone from being able to read/write to the database
The API key is not meant to be hidden on web (see here), and is exposed on clientside code. Assume that any user can gain access to the API key. Firebase rules (ex. firestore rules, storage rules) prevent malicious use. However the rules must be good enough:
if request.auth.id != nullis not good enough, as a malicious user can use SDK to create an account for themselves with our API key. Many of our logins are restrictedApplies to all repos
Will need to be more robust if going with dscgt/route_recorder#22