When implementing Web Push Notifications (using a Service Worker) via Firebase in a website, it seems all the Firebase configuration data must be present in JavaScript files that can be accessed and read by anyone accessing the website.
apiKey, vapidKey, messagingSenderId, appId, etc.
I am wondering if I'm suffering from a fundamental misunderstanding here, or if this just the way it is.
I followed the instructions in the official Firebase documentation and my code looks basically the same as the examples I can find.
Right before doing the
const firebaseApp = initializeApp(firebaseConfig);
const messaging = getMessaging(firebaseApp);
I need to have the firebaseConfig defined literally in the JavaScript file – for anyone to read.
And when doing the
firebase_getToken(messaging, ...)
the vapidKey also needs to be present in the code.
As it all is happening on the client side (in the browser - either page or service worker), I cannot see a way around it.
Just wondering about the security implications of it.
Anyone shining a light on that for me would by highly appreciated!
Regards J.