B4J Question [ Jserver ] have a way to protect informations like : node's environment variables ??

[Waldemar Lima]

hello, I would like to protect some private information from firebase ( firebaseConfig ) for web, is there any feature in Jserver that helps to protect information like: apiKey, authDomain, databaseURL, projectId and the like?

using NodeJs , you can use environment variables (.env) to secure this information. is there any solution for b4j ?

 

[jahswant]

Check out the jRDC2 project. You will find a config.properties file. You can use something similar and all your keys will be private.

 

[Waldemar Lima]

But how would it be in practice?

 

[EnriqueGonzalez]

enviroment variables are an OS property not an app one, So you can use enviroment variables too with:

    GetEnvironmentVariable("key","default")

 

[Waldemar Lima]

Sorry, I don't think I explained it clearly...?
I need to hide the firebase information on the client side, Similar to this tutorial in REACT.

but I would like a way to protect information in Front using jserver

 

[DonManfred]

I need to hide the firebase information on the client side, Similar to this tutorial in REACT.

The solution in the link is to use Environmentvariables on the Serverside. You already got told that you can use

GetEnvironmentVariable("key","default")

to get a Environmentvariable from within your jserver.

This is exactly the same as in your tutorial about React.

In fact you alread have the solution useable in b4j.

So where is the problem actually?

 

[EnriqueGonzalez]

Sorry, I don't think I explained it clearly...

i think i agree with don manfred here. may be its not clear for you how the enviroment variables work.

client side

if by client side you mean the browser then you can store cookies, the semi correct implementation is to encrypt those cookies with any encryption library and send it. The correct implementation is that the cookie is just a pointer to the real information on your server.

if you mean client side refering to jserver on your vps (completly incorrect), then the line i sent is the same as the one nodejs uses.

 

[Waldemar Lima]

So where is the problem actually?

Well, I'll explain in practice how it is:

I have the firebase.js file that is loaded in the index.html page.

<!DOCTYPE html>
<html lang="pt-BR">
<head>
  <meta charset="UTF-8">
  <title>TodoList</title>
  <link rel="shortcut icon" href="img/todoListFavicon.png" type="image/x-icon">
  <link rel="stylesheet" href="css/styles.css">
</head>
<body>
  <div id="app">
    <!--Logotipo do TodoList-->
    <div class="center">
      <img src="img/todoList.png">
    </div>

    <!--Feedback de carregamento (loading)-->
    <div id="loading">
      <img src="img/loading.gif" alt="Animação de carregamento">
    </div>

    <!--Conteúdo destinado para usuários não autenticados-->
    <div id="auth" class="center">
      <!--Formulário de autenticação-->
      <form id="authForm">
        <h3 id="authFormTitle">Acesse a sua conta para continuar</h3>

        <label for="email">E-mail: </label>
        <input type="email" placeholder="E-mail" id="email">

        <label for="password">Senha: </label>
        <input type="password" placeholder="Senha" id="password">

        <button type="submit" id="submitAuthForm">Acessar</button>
      </form>

      <!--Alternar o fomulário de autenticação para o cadastro de novas contas-->
      <p id="register">
        Não possui uma conta?
        <button onclick="toggleToRegister()" class="alternative">Cadastrar uma nova conta</button>
      </p>

      <!--Alternar o fomulário de autenticação para o acesso de contas já existentes-->
      <p id="access" class="startHidden">
        Já possui uma conta?
        <button onclick="toggleToAccess()" class="alternative">Acesse a sua conta</button>
      </p>
    </div>
  </div>

  <!--Recursos do Firebase-->
  <script src="https://www.gstatic.com/firebasejs/7.8.1/firebase-app.js"></script>
  <script src="https://www.gstatic.com/firebasejs/7.8.1/firebase-auth.js"></script>

 
  <!-- LOADING FIREBASE.JS BELOW -->
  <script src="js/firebase.js"></script>
  <script src="js/utils.js"></script>
  <script src="js/auth.js"></script>
</body>
</html>

firebase.js is where the "public" access settings for the firebase project .
but I would like to hide this information, even if it is "public", because in the documentation itself it is said that it is recommended to hide the information.

the information below is just an example of what I would like to hide.

// Your web app's Firebase configuration

var firebaseConfig = {

  apiKey: "AIzaSyCvEv7AropwWlIEC-w5c3JgprOPxjA8-kM", // b4j_env("myapikey")

  authDomain: "todolist-84473.firebaseapp.com", // b4j_env("myauthdomain")

  databaseURL: "https://todolist-84473.firebaseio.com", // b4j_env("dburl")

  projectId: "todolist-84473", // b4j_env("myprojid")

  storageBucket: "todolist-84473.appspot.com", // b4j_env("....")

  messagingSenderId: "1009074245486", // b4j_env("....")

  appId: "1:1009074245486:web:f573ce9d33c653b28ebb7f" // b4j_env("....")

};

// Initialize Firebase

firebase.initializeApp(firebaseConfig);

 

[tchart]

You are using a client side library firebase.js - nothing to do with jserver.

The documentation doesn’t list an options to obscure or encrypt the details when initialising. If you were to do anything you would need to do it on the client side before you called the library - so kind of pointless since someone could just use developer tools to see the decrypted settings anyway.

Usually with API keys you would limit access to a specific url or up address. I don’t have experience with firebase but many apis have this feature. So even if someone had the api key they can’t use it.

 

[tchart]

What you are after is something like this;


Jserver doesn’t play any part

 

[tchart]

Plus have a read of the answer here;

Is it safe to expose Firebase apiKey to the public?

The Firebase Web-App guide states I should put the given apiKey in my Html to initialize Firebase: // TODO: Replace with your project's customized code snippet <script src="https://www.gsta...

stackoverflow.com