Security Risk

[chtushar]

apiKey,
authDomain,
databaseURL,
projectId,
storageBucket,
messagingSenderId,
appId

are visible here.
Kindly fix this issue as it seems to be a High Security Risk. This information should be kept confidential.

Solution:

• Create a separate file called firebaseConfig.js.
• Add your details

const firebaseConfig = {
  apiKey: "Axxxxxxxxxxxxxxxxxxx",
 authDomain: "xxxxxx.firebaseapp.com",
 databaseURL: "https://xxxxxxxx.firebaseio.com",
 projectId: "xxxxxxxxx",
 storageBucket: "xxxxxxx.appspot.com",
 messagingSenderId: "xxxxxxxxxxx",
 appId: "1:xxxxxxxxx:web:xxxxxxx"
}

module.exports = firebaseConfig

• Import file firebaseConfig.js in firebase.js
• Add following line of code in .gitignore file in root directory.
  firebaseConfig.js
• And Commit, issue will be solved!

Happy Hacking! :)

[aravindvnair99]

@chtushar This isn't a High-Security Risk. The configuration snippet just identifies a Firebase project on Google servers. In fact, it is necessary to include it for users to interact with a Firebase project. This same configuration data is also included in every web or iOS or Android app that uses Firebase as its backend. It's just publicly available data.

Please close this issue.

[agarwalbharat]

Workin on it... as the concern is correct....

Already fixed for Aura Admin in gdg-x/aura-admin#66

[aravindvnair99]

Workin on it... as the concern is correct....

Already fixed for Aura Admin in gdg-x/aura-admin#66

@bharatagsrwal That's not a valid security bug as I mentioned in #80 (comment). Could you please explain why it's a valid concern?

Appending /__/firebase/init.js to any Firebase domain will give you the config for that particular project. Such as for the PR you tagged, here it is: https://myaurapp.firebaseapp.com/__/firebase/init.js or https://auradmin.web.app/__/firebase/init.js

The configuration snippet just identifies a Firebase project on Google servers. It's just publicly available data.