Storing and Retrieving API Secrets of third party cloud services?

[Dario Soller]

Hi,

I was wondering, if it is possible to somehow setup an API endpoint for retrieving an API secret of a third party cloud service? The overall issue is, that as you may know, it is not recommended to store public api_keys and api_secrets together at the client side (for example in the config of ember app itself).

The procedure would for example look like this. When I am calling https://resplendent-inferno-1234.firebaseio.com/third-party-params?timestamp=1405598984.34 I would get the following as response

{
  "timestamp":1405798984,
  "signature":"4a49f7e9009678h5678n678dc8798ca19cdb2da4",
  "api_key":"123455678679845"
}

In this example the signature would be the corresponding api_secret of my third party cloud service.

I think the demand for combining different cloud service in a single web app will be rising in the future. So is there something planed for firebase, or is something like this, already possible. Couldn't find any specific informations on this topic. Would be happy about any info or help on it.

Cheers Dario

[Jacob Wenger]

Hey Dario,

Client devices should never receive secrets of any kind in order to avoid leaking them to end users. Currently, you will have to spin up your own server to handle third party integrations. We are working on features that will allow you to do this effortlessly and without having to maintain your own servers, but there is no timeline for their release.

If you give us some information about what your actual use case is, we may be able to give you some better advice at present.

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase + EmberJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-embe...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dario Soller]

Hi Jacob,

thanks for your reply. You are of course right that secret keys should never be sent to a client. I think I misinterpreted the authentication signature with the secret key in this example, in which they use cloudinary as a image cloud service. The thing is that they provide an unsigned method, that is made possible by defining upload presets. But this has the limitation, that you can't delete and can't replace an image. I thought, that firebase & cloudinary would actually be a very slick combination, where I only have to save the publicID (of the image on cloudinary) to my firebase backend. Nevertheless I am still struggling with setting up the unsigned method, so maybe I will rethink my whole image upload process again.

Do you know any other image cloud services other than S3, that you could recommend with ember-cli? Should have a fair free plan, so that I am able to keep cost low during development.

Best, Dario

[Tim Stirrat]

Hi Dario,

The idea of using the preset seems sound. You could look at imgix, and their ember component. The component might give you ideas on how to use a similar method to render images that were uploaded to Cloudinary via the preset. 

Unfortunately I do not have experience with any image services and ember.

-Tim

[Dario Soller]

Hi Tim,

thanks for your reply. Good to know that imgix has an ember addon. Unfortunately, it is only for retrieving images from there service. Couldn't find any hints that uploading is possible. I think I put some effort in updating the somehow outdated ember-cli-addon, that already exist for cloudinary uploading.

Bests, Dario