- 00:00:02 hey welcome to this video
- 00:00:03 there is one question which i get quite
- 00:00:05 a lot is my javascript code
- 00:00:08 secure because you probably
- 00:00:11 saw before that if you open the
- 00:00:13 developer tools on a page
- 00:00:15 created by you and it's the same for
- 00:00:17 other pages by the way
- 00:00:18 you can inspect the javascript code
- 00:00:20 there in the chrome developer tools
- 00:00:22 you can simply go to sources and boom
- 00:00:25 you see
- 00:00:26 all the javascript code of that project
- 00:00:30 so all the javascript code running in
- 00:00:32 the browser but doesn't that mean that
- 00:00:34 your project is insecure let me answer
- 00:00:37 this question
- 00:00:38 in this video
- 00:00:42 so we can inspect all the javascript
- 00:00:44 code and this is a very simple
- 00:00:46 angular application here now in the
- 00:00:49 sources tab of the chrome developer
- 00:00:50 tools we can see the javascript files
- 00:00:53 that were
- 00:00:53 loaded as part of this website here and
- 00:00:56 this website happens to use angular so
- 00:00:59 what we see here in the end
- 00:01:00 is the compiled angular code because we
- 00:01:03 obviously in case you know angular
- 00:01:05 we write angular with typescript and a
- 00:01:07 lot of cool features
- 00:01:08 but in the end all of that gets compiled
- 00:01:10 to javascript code
- 00:01:12 that runs in the browser which doesn't
- 00:01:13 support typescript for example
- 00:01:15 so here we get the compiled javascript
- 00:01:17 code and in there in the end we see
- 00:01:19 all the code we wrote in the main.js
- 00:01:21 file here for example
- 00:01:23 if we scroll through it we could find
- 00:01:25 some snippets of
- 00:01:26 our app some code which belongs to our
- 00:01:29 app which we
- 00:01:30 wrote just compiled to javascript now i
- 00:01:33 got a very simple app here i got a login
- 00:01:34 screen can also switch to the sign up
- 00:01:36 screen
- 00:01:37 get some validation in place and if i do
- 00:01:39 sign up nothing will work as of now
- 00:01:41 because there's one thing i still have
- 00:01:43 to add
- 00:01:44 i'll use firebase here but you could use
- 00:01:46 any backend
- 00:01:47 what i do have to add here in the case
- 00:01:49 of firebase is my
- 00:01:50 api key and for that i created a
- 00:01:53 firebase
- 00:01:54 project but again that could be the case
- 00:01:56 for any backend
- 00:01:57 you might need some api key to send
- 00:02:00 requests there
- 00:02:01 or you've got some other parts some
- 00:02:03 other information in your code
- 00:02:05 where you're not sure if you can share
- 00:02:07 that
- 00:02:08 so let's work on firebase here quickly i
- 00:02:10 already created a project
- 00:02:12 here it is and in that project
- 00:02:15 i won't do anything here i just want to
- 00:02:17 enable authentication so in
- 00:02:18 authentication let's
- 00:02:20 turn this on like this and again not
- 00:02:23 really related to firebase it's just a
- 00:02:25 convenient to use
- 00:02:26 dummy back-end here where i don't need
- 00:02:28 to write a lot of code i need my api key
- 00:02:30 then
- 00:02:31 so this key let me copy that and add it
- 00:02:34 here we'll replace that api key with
- 00:02:37 that
- 00:02:38 with that replaced what i can do is i
- 00:02:40 can go back to my angular app
- 00:02:42 and let me open the console now
- 00:02:46 in there i can now start creating users
- 00:02:49 so i can create a user here with
- 00:02:51 testedtask.com
- 00:02:52 let's pick a password sign up it's
- 00:02:54 loading and i'm authenticated
- 00:02:56 this also is a success response sent by
- 00:02:59 firebase
- 00:03:00 if i go back to firebase and i have a
- 00:03:02 look at my users i can see that user
- 00:03:04 there
- 00:03:05 with that user created if i reload the
- 00:03:07 app and i'm therefore locked out because
- 00:03:09 i have no
- 00:03:10 mechanism to keep me logged in i can log
- 00:03:13 in again with the same credentials
- 00:03:16 i should be able but i had a wrong
- 00:03:18 password i guess
- 00:03:20 yeah so it works so this is all working
- 00:03:23 but what
- 00:03:23 am i trying to show you here well
- 00:03:26 obviously it's all about that api key
- 00:03:29 that is information which any user of
- 00:03:32 our app
- 00:03:32 can access in the running app and not
- 00:03:34 just us
- 00:03:35 so here if i go to sources again in the
- 00:03:38 main.js file this is where
- 00:03:41 our code lives let's search for
- 00:03:44 api in there and indeed if i increase
- 00:03:47 that
- 00:03:47 we see here is some code which in the
- 00:03:49 end holds
- 00:03:50 these links and there we can see that
- 00:03:52 api key and
- 00:03:54 any user of this app can see that now
- 00:03:57 here it's particularly
- 00:03:58 easy to read because i'm still in
- 00:04:00 development mode in production mode it
- 00:04:02 would look a bit different
- 00:04:03 we can quickly have a look at another
- 00:04:05 app for that
- 00:04:06 why not add the firebase console which
- 00:04:09 also uses a lot of javascript
- 00:04:11 there if i open the sources tab we also
- 00:04:14 find
- 00:04:14 some code in there now let me quickly
- 00:04:16 grab a promising
- 00:04:18 file say this file doesn't really matter
- 00:04:22 then you see this is how it would look
- 00:04:23 like in a production build
- 00:04:26 so all the variable names are shortened
- 00:04:29 and all the white space is removed
- 00:04:31 because this
- 00:04:32 still is javascript code that executes
- 00:04:34 without issues the browser can read that
- 00:04:36 for users it's harder but even in that
- 00:04:39 version
- 00:04:40 this url would still be what it is this
- 00:04:43 can't be
- 00:04:44 hidden it won't be hidden the browser
- 00:04:46 can't hide this because the browser
- 00:04:49 parses this and it's part of what gets
- 00:04:51 shipped to the browser
- 00:04:52 so every user of this page can access
- 00:04:55 this data
- 00:04:56 now that leads us to the final question
- 00:04:58 is this a problem
- 00:05:00 and the answer is no not necessarily at
- 00:05:03 least
- 00:05:03 you should definitely not put anything
- 00:05:06 into your javascript code
- 00:05:07 which is absolutely confidential which
- 00:05:11 users must not
- 00:05:12 see like your root password for your
- 00:05:15 firebase account you don't want to put
- 00:05:17 that in here
- 00:05:18 the api key is something different with
- 00:05:20 the api key
- 00:05:22 and that of course is not only the case
- 00:05:23 for firebase but for most api or all api
- 00:05:26 keys you use on any api with dev key
- 00:05:28 alone no one can access your firebase
- 00:05:30 account
- 00:05:31 they don't have your password and that
- 00:05:33 api key is not even your username
- 00:05:35 so people can't access the account what
- 00:05:37 they can do of course
- 00:05:39 is they can grab that url that entire
- 00:05:42 url
- 00:05:42 and add this login and sign up to their
- 00:05:45 own page
- 00:05:45 using your api now is that an issue
- 00:05:49 it depends you can have an api which
- 00:05:51 should be public which you want other
- 00:05:54 users to use
- 00:05:55 and then this is perfectly fine if
- 00:05:57 you're saying
- 00:05:58 hey i got my firebase project and i only
- 00:06:01 want to use it from my angular app and
- 00:06:03 not from
- 00:06:03 any app well then you can lock down
- 00:06:06 access
- 00:06:07 you can do that in firebase you can set
- 00:06:09 up a api
- 00:06:10 whitelist to be precise you can do that
- 00:06:12 in the google
- 00:06:13 developer console not the google play
- 00:06:16 console but the google api console to be
- 00:06:19 precise
- 00:06:20 there what you can do is you can visit
- 00:06:23 that credentials page and on the
- 00:06:24 credentials page
- 00:06:27 you can load your firebase project here
- 00:06:30 on the top with this drop down
- 00:06:31 and there you see that api key and on
- 00:06:35 that api key
- 00:06:36 if you click on it we need the browser
- 00:06:38 key here
- 00:06:39 then you can restrict it to certain ip
- 00:06:41 addresses or domains
- 00:06:43 so this is a way for you to control
- 00:06:45 which ip addresses or domains can
- 00:06:48 send requests to this api with that key
- 00:06:51 and if the request is coming from
- 00:06:52 another page it will get blocked
- 00:06:55 and you have similar mechanisms for
- 00:06:57 other solutions or if you're creating
- 00:06:59 your own api you simply have to add the
- 00:07:01 logic to have
- 00:07:02 this extra filter if you want that
- 00:07:04 lockdown
- 00:07:05 so long story short if you got
- 00:07:08 information which gives direct access to
- 00:07:10 your account like your password or your
- 00:07:12 email address or stuff like that
- 00:07:14 don't put it into your javascript code
- 00:07:16 into your frontend-facing javascript
- 00:07:18 code i should say for node.js it's fine
- 00:07:21 if you get other things which only grant
- 00:07:23 access to an api but not to your account
- 00:07:26 you might want to grant that access to
- 00:07:28 everyone if you don't
- 00:07:29 set up some filtering logic which uses
- 00:07:32 an ip white list
- 00:07:34 for example to lock down access now if
- 00:07:37 you got
- 00:07:38 some information which you need to use
- 00:07:40 from your front end for example i had a
- 00:07:42 use case where
- 00:07:44 i needed a token where i needed to sign
- 00:07:47 up users
- 00:07:48 to my newsletter and that token actually
- 00:07:51 was not something i
- 00:07:52 wanted to expose to other users because
- 00:07:54 with the token
- 00:07:56 anyone could target my newsletter api
- 00:07:59 and could send requests to it to add
- 00:08:01 users to it
- 00:08:02 without the consent of these users the
- 00:08:05 problem is i also
- 00:08:06 couldn't lock down access through a
- 00:08:08 whitelist because my newsletter provider
- 00:08:10 the service i was using didn't offer
- 00:08:12 such a feature
- 00:08:13 so what i did is i wrapped it into some
- 00:08:15 server-side code
- 00:08:16 i created aws lam the function but you
- 00:08:19 can of course also create your own
- 00:08:21 api with node php whatever you need and
- 00:08:24 there i sent that request
- 00:08:26 to my newsletter service and with that
- 00:08:30 i had to send a request to my
- 00:08:33 cloud function to my aws lambda function
- 00:08:36 and that would then forward the request
- 00:08:38 and i could lock down the access to my
- 00:08:41 lambda function so
- 00:08:42 i created my own wrapper that is
- 00:08:44 basically what i wanted to say
- 00:08:45 and this is also some creative way you
- 00:08:47 can work around this
- 00:08:48 issue if you have an api which doesn't
- 00:08:51 give you a native
- 00:08:52 lockdown mechanism so i hope this was
- 00:08:55 helpful and this clarifies this
- 00:08:57 question of whether it's a problem that
- 00:08:59 people can read your javascript code
- 00:09:02 they can read it but if you do it right
- 00:09:04 they can't do anything with that
- 00:09:06 and by the way if you're worrying about
- 00:09:08 people stealing your logic
- 00:09:10 yes they can do that but for one the
- 00:09:13 production code is really hard to read
- 00:09:15 so it's not that much fun and two yeah
- 00:09:18 people can
- 00:09:19 steal it but your app shouldn't be great
- 00:09:22 or because of your complex
- 00:09:24 browser javascript code your core
- 00:09:27 business logic
- 00:09:28 will always reside on the server any
- 00:09:31 machine learning or whatever you got
- 00:09:33 there
- 00:09:34 that will be on the server your
- 00:09:35 front-end javascript code
- 00:09:37 is always about creating pleasant user
- 00:09:39 experiences
- 00:09:40 handling user interactions stuff like
- 00:09:42 that
- 00:09:43 and if that is your most valuable asset
- 00:09:47 you can't hide that unfortunately but it
- 00:09:49 also shouldn't be that easy
- 00:09:51 to clone it and there should be more to
- 00:09:52 your product than your browser site
- 00:09:55 javascript code