nicholaschiang
commented
4 years ago Good idea! We'll work on this right away.
Open chroline opened 4 years ago
nicholaschiang
commented
4 years ago Good idea! We'll work on this right away.
dos077
commented
4 years ago According to the Firebase team themselves, exposing the API key is not a risk. This project seems to run Firebase in a node.js client side app, so the API key will be compiled into plain text in the client side js file, even if it is hidden in the source code. Sure it's easier for maintenance if the API is stored in ENV, but the actual data safe guard relies on GAPI auth to verify user and security setting on the database.
Hello there, great product.
I have a security concern regarding your Firebase configuration and your API keys. Performing a basic search query for "apiKey", I found 176 results for "apiKey" location within the tutorbook repo, which is very concerning.
My recommendation would be to move these configuration details to environment variables so that they aren't publicly visible and available on the public code repository.