flamelink / flamelink-js-sdk

🦊 Official Flamelink JavaScript SDK for both the Firebase Realtime database and Cloud Firestore
https://flamelink.github.io/flamelink-js-sdk
MIT License
42 stars 5 forks source link

Flamelink expose the private key even if populate param is setted to true #98

Closed chadsfatherlali closed 5 years ago

chadsfatherlali commented 5 years ago

Hi guys I had this problem a month ago, but it can solved with the populate param setted to true, but this time isn't work, this is the example how I callesd the colection:

"firebase": "^6.2.0", "firebase-admin": "^8.0.0", "flamelink": "^1.0.0-alpha.19",

let island = await __content.getByField({ schemaKey: 'island', field: 'slug', value: params.index, populate: true });

the result is the document in fact but with the private key exposed as you can see:

"titleEs": "El centro del Archipielago de Galapagos ofrece campos de lava y vida salvaje.", "touristInformation": "<p><strong>Tourist Information&nbsp;</strong></p>\n\n<p>Landing: Wet Landing</p>\n\n<p>Wildlife Highlights: Galapagos penguins, Galapagos hawks, lava lizards, sea turtles, marine iguanas, mockingbirds, sea lions, shorebirds, fur seals, blue herons</p>\n\n<p>Activity Highlights: Hiking, birdwatching, swimming and&nbsp;snorkeling</p>\n\n<p>Conditions: Hot and Rocky bring good shoes and extra water.</p>\n\n<p>Conditions vary at the different visitor sites, some walks at the beach and other various trails on the almost level ground.</p>\n\n<p>Notes: If visiting Puerto Egas, be sure to spend time with your guide at the fur seal grotto and watch these fun creatures do their underwater acrobatics.</p>\n", "order": 0, "slug": "santiago", "nameEs": "Santiago", "parentId": 0, "gallery": [ { "uniqueKey": "V-4_m55eX", "image": [ { "folderId": { "_firestore": { "_settings": { "credentials": { "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwomjK+Y459PW1\nCi2Htsjy17QUMeaYqsDVwCbe8xRvU6XWTvtjT2UzLHShtx3kemO04gKTX1K/fV9U\najlk4wG2YZdxN2xCAVZ9aRWTKe8UqJBn6lfVn8c3wCXGFNpmHiQQjicGlpUMkhwl\nx09LwrdgKUCFcFM+6hNebnh+CTcfWOmX+nylpheGSa3wwqEl1YsTDqmPnn5rtjzP\nbkodzRmUpLPCH/0AxF2BZYu/24vUub1nWV6H3lD3SfW7gXYXg+y4coXz/bJOTe5q\nVEvDegyOIfm8bqA22ifK+6VSO6yvPFccksBzhUALYDuwQHOorLhgqPxNAUwfi9Ck\nPF+v2eydAgMBAAECggEADqtSRicfFXefT0t62AZJXoek/DdftgaaULYuVD4+UHeT\nMn7pOEhv+GXFAugtCpxSewN5IMmeGuqb1+whe5wxuHaW5+9pJXssdmpbgRcOtLnC\nEms/I63rEtl5mZ+COtBegOR5X73yP3LD9Sw+DOXtKkaKxfo746H3fVRx28/CnO73\nRbRsOIhvKv5d9RJHfUWUNYntUYUm8K/bagja9POYY/KrJIR3HQ/scHjMaYLhlS43\nT+wGL5MxyDJx/U4Cm47v0hix2RG0gi+KPDkIktb3MTcX8Gp7Gp7Fv4ba1A5R9OXh\n3vTZTdPkt1AozcUExnEbK45TjO5cM6FDSaXZPPj7+QKBgQDiXOyWBiVXjROeF/OU\n/TexvnMmv86VKG8TLasaEHLWy+/1kbrQknW+M7HqCWBHxDqDaTxphrOzADsLHAsB\nUPLFVfz6i3zKae5HuukdQ29hy++BTX1npg77N1qXuZn0arkBkmsusPGI4Ai3ME8Z\n54t0MtTOLCftgTqnsfgZeUqp9QKBgQDHwre8dU4heAEXSwi1qKeQBVXS0iRLPo98\nay1nriCvhum5QN05b04LyHO0aw8LqqDnaoZbhkgCSL9ZEqzSLxywYmZOzYtJAEZf\nnVs5Cr8Few4R3304R1Sp7Dn+j5sTVDfypPFEVQLnf/a5yDVuhbHq1w+jpSCrIhZe\nuS7p+VtHCQKBgDmksjauD/pQmatLrCLHrNQdjJNUitXe+xImMgksISJjwpKFbs5I\nTaWG4oqXoqYD6WaneNPikoZFy8NTe9X0+C2abRacSMX+3cf0aAKktotv9Gi4A/RO\nDEia2v4CLJtaRgyJbbPxKUDS1EVaDvqoxRFtFFYAVpabrwUfQ++wvHu1AoGBAKlj\nx1QKkM82qI4s9Vy9gCFTNNyJj3cyvI9/fsgdUuAk4gpSI4WxiZfaSasi4WY+MSUr\nInV335X4RDHu8RdmFcjIGAMYrtSfZA1uLM2o/CRUnbCwN8nCStuwUdk3wwNX9f1O\nurv77nOKAhi12gE3Y5BE/6D/xDz5schu9YY4CZupAoGAFyT/V7Prp7uqFrprcKVz\nmNDocY4QMrp3ChndEzDIi/pt9ROVkSiAOsxjzQDjCJgHbW+SLLOnZO28hLD85Jmh\nU8jZFODuTtfrajFowXJ9BMWUz72zcMQ+kRsp0B1hO8hifixil7GIY3ToaO4u025s\n1CqGEWQwUrcxQSR7rpQvrFs=\n-----END PRIVATE KEY-----\n", "client_email": "content-support-pages@appspot.gserviceaccount.com" }, "projectId": "content-support-pages", "firebaseVersion": "8.3.0", "libName": "gccl", "libVersion": "2.2.4 fire/8.3.0" }, "_settingsFrozen": true, "_serializer": { "createReference": {}, "timestampsInSnapshots": true },

jperasmus commented 5 years ago

Hi @chadsfatherlali, thanks for adding the issue here.

For others finding this, the issue happens when you use a universal solution like Nuxt, Next, Angular Universal, etc and have queries run on your server using the firebase-admin SDK which gets sent through to the client. The firebase-admin SDK assumes that it is used in a trusted environment, so the private key for your connection details are included in the reference objects.

Where Flamelink comes into the picture: Flamelink stores many values (if you're using Cloud Firestore) as Firebase Document References, to reduce DB size and to quickly link you to related documents in your DB.

With that said, if you populate a reference field, the Flamelink SDK should expand this reference into the actual referenced document's JSON data, which does not include the private credentials.

@chadsfatherlali can you please give me an example of the field that you are trying to populate that isn't expanding? ie. what query are you running and how does the data look? I'm sure if there is a problem with a field not populating it will be specific to a particular use case and not in general.

Can you also try upgrading your SDK to the latest version v1.0.0-alpha.25 to see if that makes a difference?

chadsfatherlali commented 5 years ago

Thanks for the help, and yep upgrade the flamelink sdk to v1.0.0-alpha.25 was the trick, here you have the field that comes with the credentials if the populate isn't setted

Is a repeater field with a media field inside.

"gallery": [ { "uniqueKey": "V-4_m55eX", "image": [ { "_firestore": { "_settings": { "credentials": { "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwomjK+Y459PW1\nCi2Htsjy17QUMeaYqsDVwCbe8xRvU6XWTvtjT2UzLHShtx3kemO04gKTX1K/fV9U\najlk4wG2YZdxN2xCAVZ9aRWTKe8UqJBn6lfVn8c3wCXGFNpmHiQQjicGlpUMkhwl\nx09LwrdgKUCFcFM+6hNebnh+CTcfWOmX+nylpheGSa3wwqEl1YsTDqmPnn5rtjzP\nbkodzRmUpLPCH/0AxF2BZYu/24vUub1nWV6H3lD3SfW7gXYXg+y4coXz/bJOTe5q\nVEvDegyOIfm8bqA22ifK+6VSO6yvPFccksBzhUALYDuwQHOorLhgqPxNAUwfi9Ck\nPF+v2eydAgMBAAECggEADqtSRicfFXefT0t62AZJXoek/DdftgaaULYuVD4+UHeT\nMn7pOEhv+GXFAugtCpxSewN5IMmeGuqb1+whe5wxuHaW5+9pJXssdmpbgRcOtLnC\nEms/I63rEtl5mZ+COtBegOR5X73yP3LD9Sw+DOXtKkaKxfo746H3fVRx28/CnO73\nRbRsOIhvKv5d9RJHfUWUNYntUYUm8K/bagja9POYY/KrJIR3HQ/scHjMaYLhlS43\nT+wGL5MxyDJx/U4Cm47v0hix2RG0gi+KPDkIktb3MTcX8Gp7Gp7Fv4ba1A5R9OXh\n3vTZTdPkt1AozcUExnEbK45TjO5cM6FDSaXZPPj7+QKBgQDiXOyWBiVXjROeF/OU\n/TexvnMmv86VKG8TLasaEHLWy+/1kbrQknW+M7HqCWBHxDqDaTxphrOzADsLHAsB\nUPLFVfz6i3zKae5HuukdQ29hy++BTX1npg77N1qXuZn0arkBkmsusPGI4Ai3ME8Z\n54t0MtTOLCftgTqnsfgZeUqp9QKBgQDHwre8dU4heAEXSwi1qKeQBVXS0iRLPo98\nay1nriCvhum5QN05b04LyHO0aw8LqqDnaoZbhkgCSL9ZEqzSLxywYmZOzYtJAEZf\nnVs5Cr8Few4R3304R1Sp7Dn+j5sTVDfypPFEVQLnf/a5yDVuhbHq1w+jpSCrIhZe\nuS7p+VtHCQKBgDmksjauD/pQmatLrCLHrNQdjJNUitXe+xImMgksISJjwpKFbs5I\nTaWG4oqXoqYD6WaneNPikoZFy8NTe9X0+C2abRacSMX+3cf0aAKktotv9Gi4A/RO\nDEia2v4CLJtaRgyJbbPxKUDS1EVaDvqoxRFtFFYAVpabrwUfQ++wvHu1AoGBAKlj\nx1QKkM82qI4s9Vy9gCFTNNyJj3cyvI9/fsgdUuAk4gpSI4WxiZfaSasi4WY+MSUr\nInV335X4RDHu8RdmFcjIGAMYrtSfZA1uLM2o/CRUnbCwN8nCStuwUdk3wwNX9f1O\nurv77nOKAhi12gE3Y5BE/6D/xDz5schu9YY4CZupAoGAFyT/V7Prp7uqFrprcKVz\nmNDocY4QMrp3ChndEzDIi/pt9ROVkSiAOsxjzQDjCJgHbW+SLLOnZO28hLD85Jmh\nU8jZFODuTtfrajFowXJ9BMWUz72zcMQ+kRsp0B1hO8hifixil7GIY3ToaO4u025s\n1CqGEWQwUrcxQSR7rpQvrFs=\n-----END PRIVATE KEY-----\n", "client_email": "content-support-pages@appspot.gserviceaccount.com" }, "projectId": "content-support-pages", "firebaseVersion": "8.3.0", "libName": "gccl", "libVersion": "2.2.4 fire/8.3.0" }, "_settingsFrozen": true, "_serializer": { "createReference": {}, "timestampsInSnapshots": true }, "_projectId": "content-support-pages", "_lastSuccessfulRequest": 1567003647193, "_preferTransactions": false, "_clientPool": { "concurrentOperationLimit": 100, "clientFactory": {}, "activeClients": {} } }, "_path": { "segments": [ "fl_files", "0Zv90FkSllPFMjsnoTDH" ] } } ] },

chadsfatherlali commented 5 years ago

It's was fixed with the v1.0.0-alpha.25

jperasmus commented 5 years ago

Great stuff, thanks 👍