Hi here is an example API key for my database MzY5NPS8ZTIwUZcxZjNiZmUyMTY1NjBkZDQ5ZGY0OUY=
i know i know it takes 99999 years to guess it
but man i still have fear that some kind of brute force attack can really guess it… because with the admin rights he can download my whole DB with all kinds of sensitive user informations
(my setup: user calls cloudfare worker (its something like a cloud function). The worker auths him with firebase auth, and then processes his request. The worker has the admin key and access to the whole database. i know dgraph has an own auth solution, but I’d rather use firebase auth because of all the neat features it has. i want to keep things simple)
Are there any ways to make the access to my database more secure?
Don’t bother with it. If you are really paranoid about this, schedule new API tokens and do some automation with that. But for me, that’s too much for too little.
That’s a different case from brute force. That’s a genuine worry. Today there are more internal attacks with the RaaS which uses employees to make internal attacks be for data encrypting or extort to possible data leakage.
For a open source usage, you should use some personal strategy. There’s no way to give you any with the open source license(at least for mid-term). You should have someone addressing these ideas and strategies. Some companies build teams “Red and Blue teams” to force a culture of security.
Firewall, whitelisting, reverse proxy with some security features. Never give direct access to an operator. Create an API for those who need access the DB with some limits. That’s a type of strategy that you have to come up with.
If you are talking about the Cloud API Key, no way. That’s a standard thing. There is a “Poor’s man Auth” in the Open Source version. You can use that. And I think it can have any size key you wan’t. Not sure. But can be big.