Firebase Messaging - Is it safe to store config variables in service worker? #4959

kush-daga · 2021-06-01T05:17:57Z

kush-daga
Jun 1, 2021

Hey!
I recently implemented Push Notifications in my NextJs application, I used firebase messaging to create and initialize my service-worker on the app,
My firebase-messaging-sw.js is as follows:

importScripts('https://www.gstatic.com/firebasejs/7.14.2/firebase-app.js');
importScripts('https://www.gstatic.com/firebasejs/7.14.2/firebase-messaging.js');

const config = {
  apiKey: '***********',
  authDomain: '************',
  databaseURL: '********',
  projectId: '**************',
  storageBucket: '***************',
  messagingSenderId: '*****************',
  appId: '******************',
};

firebase.initializeApp(config);
const messaging = firebase.messaging();

messaging.setBackgroundMessageHandler(function (payload) {
  console.log('[firebase-messaging-sw.js] Received background message ', payload);
  const notificationTitle = payload.data.title;
  const notificationOptions = {
    body: payload.data.body,
    icon: '/icon.png',
  };
  return self.registration.showNotification(notificationTitle, notificationOptions);
});

self.addEventListener('notificationclick', (event) => {
  console.log(event);
  return event;
});

With **** replaced with real values, It works perfectly and it registers the service worker, and I am getting notifications, however something that I am really doubtful or unsure of are the config variables in the service worker, currently when I deploy this using netlify and then try to open the app, I can easily access the service worker file using Dev tools like this

Isn't this less secure, and is there any proper way to hide these values? Or is it ok for them being exposed?

Answered by dbanisimov

Jun 1, 2021

Yes, it is okay for them to be exposed. They are public by design.

Even more, if you're using Firebase Hosting they'll be exposed automatically under a reserved path /__/firebase/init.json. For example check out the modular SDK website by the Firebase team themselves: https://modularfirebase.web.app/__/firebase/init.json

View full answer

dbanisimov · 2021-06-01T06:45:55Z

dbanisimov
Jun 1, 2021

Yes, it is okay for them to be exposed. They are public by design.

Even more, if you're using Firebase Hosting they'll be exposed automatically under a reserved path /__/firebase/init.json. For example check out the modular SDK website by the Firebase team themselves: https://modularfirebase.web.app/__/firebase/init.json

1 reply

kush-daga Jun 1, 2021
Author

Oh okay, no im not using firebase hosting, but thanks.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Firebase Messaging - Is it safe to store config variables in service worker? #4959

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Firebase Messaging - Is it safe to store config variables in service worker? #4959

kush-daga Jun 1, 2021

Replies: 1 comment · 1 reply

dbanisimov Jun 1, 2021

kush-daga Jun 1, 2021 Author

kush-daga
Jun 1, 2021

Replies: 1 comment 1 reply

dbanisimov
Jun 1, 2021

kush-daga Jun 1, 2021
Author