I am working on a Chrome extension, and I’ve been trying to decide on the best low-effort way to hide a 3rd party API key to avoid hardcoding it in the extension JS files.
Obfuscation, minifying, a lambda function that validates the Chrome extension ID… these are all security by obscurity and not bulletproof. I don’t need bulletproof, but I still need something better. A dedicated proxy server to make the API calls on the extension’s behalf, ain’t it (too much effort for a low-complexity extension).
So here’s an idea I’d like to validate: I am using Google authentication and Firebase (Firestore DB). The DB has rules to limit access to authenticated users. What if I save the API key in a new Firestore table and fetch it by querying the table through the authenticated user?
It’s probably just as bad, right? The key will still be visible through the network tab as part of the response…. sighs.
2
Answers
So, I think I'll go the Firebase Cloud functions way. With the correct permissions in place, only Google-authenticated users can call the endpoint.
If you really want to go down this route.. How about splitting the key and store them in 5 or 10 Firestore documents and join them on client side?