Security concern with hardcoded FCM server key #1
Comments
|
Hello. You have to use Firebase Cloud Function to get the firebase server key for security. When I try it, I had to upgrade my firebase account to premium and pay for the server to use the advanced function for it. You can take the server key and send push notifications using the cloud function. Here is the reference site: https://firebase.flutter.dev/docs/functions/overview |
|
Thanks for the answer. As I did some digging around I learn that one should NEVER put their server key on a client app. The server key should only be put on a trusted environment like your own server or private app. I think that using Cloud Function as you have suggested is a good solution but not for getting the security key but to fire notification to client whenever a document is created or changed. As for the server key, to use it I think it should be put on your own server, have your client app calls it API for it to send a request to FCM for push notification. Anyways, this is just a suggestion to improve on your own apps and others. |
|
Thank you very much for your comment. I wanted to talk like this programming conversation to others. haha. I agree your opinion and I will follow your suggestion next project or update this chat app. Enjoy programming 👍🏻 |
I have checked out the project code and see that to make a http request to FCM server you need a Firebase Server key, which suggested to be hardcoded into the project. In the const.dart I see that you have replaced the key for a placeholder but if other were to use it as an example then there is a major concern for security if client can get the key from the source code of the app. Can you update the code so that it can hide the Server key or get it from a remote server?
The text was updated successfully, but these errors were encountered: