As per the Firebase documentation, the contents of google-services.json are considered public. These can be easily retrieved by decompiling the apk.
If so, is there a way to prevent apps from registering with my Firebase project?
I understand that the registration works on the basis of package name. While it's not possible to publish an app with a duplicate package name, for development it is very much possible.
I created a dummy app, and my dummy app successfully registered with my production project. So, looking for a way to prevent that from happening.
You should be connecting your app to Firebase Emulator for local development.
You can go to Firebase console -> Authentication tab -> Sign-in Method tab, and remove localhost from Authorized domain, that way your app will never connect to production DB.
Related
I am currently using GitHub Actions to automate deploys to production, however, developers also have access to deploy code directly from their machines to production. I am wondering how to avoid this situation and only allow new updates to our hosting instance when it comes from an automated PR approval on GitHub.
The current workflow for developers is:
Create a new dev branch based on an assigned issue on GitHub
Develop code changes and test it on localhost via Firebase Emulators
Commit code changes to GitHub and creates a PR
GitHub Actions kicks in to deploy code changes in a preview channel for approval
After code review, PR is approved and code changes get deployed automatically to production
Since developers are required to provide firebase production credentials to initializeApp({...}) - there is no way to avoid a team member from deploying code directly from their machines to production.
Firebase client SDK for Javascript does not allow an app to be initialized withou real project credentials, which means there is no way to initialize an app "only for emulation".
Any thoughts on how to fix this?
Create a new Google account that is only used to deploy and change the developer permissions to only have read access to the production apps.
i Already hosted a Web page Project to Filebase console using firebase deploy comment , How can i Download the Project files Now ?
firebase deploy
You can not download the project files...
That you can download is the data/files you have stored in your realtime database or firestore database.
You can switch between deploys as well, you can roll back to older deploy or to the newer depending of your needs, but you can not download any of it.
There is no blanket "code pull" from Firebase, so you will need to take a different approach for each product.
Product
How to get the code/data
Hosting
There is no API to get your hosted files back from Firebase, but you can usually get pretty close by crawling the site. See Pull lost code from Firebase Hosting deployment
Realtime Database
You can either use one of the SDKs, use the REST API (for small databases this may be as simple as adding .json to the end of the database URL), or you can set up automatic backups and get the data from there.
Firestore
You can either use one of the SDKs or REST API here too, or you get export through the console or gcloud CLI as explained here
Authentication
You can export all your users through the Admin SDK or the Firebase CLI
Cloud Functions
The closest you can get here is to copy/paste the code from the Google Cloud console as explained here: Get code from firebase console which I deployed earlier
Background: I'm creating a website that will deploy websites using firebase. The one-liner is that they fill out information and the web app deploys a website with that information. It's a Node app with react frontend and express backend. I plan to deploy this on firebase too but I'm not attached to this idea. I wrote an npm script that will create a project and deploy a site on the firebase project but it only works because I'm already logged in on my machine. Currently, it logs in through the web interface using OAuth2.0 and my google account. I cant find anything online on this. All my search results bring me to firebase's authentication feature.
Question: Are there alternative programmatic ways to login to firebase? If not, do you have any guidance on how I can accomplish this otherwise?
I think you're confused about what it means to be "logged in to firebase".
If you asking how to automate deployment with the Firebase CLI, without needing to sign in using a browser to authenticate your identity, then you should read the documentation about using the CLI with CI systems. You can sign in once manaully and get a token, then use that token on the command line to perform you deployment without having to manually sign in again.
Is it safe to keep the firebase config file (with the APIkey)when deploying my mobile app (front-end react native) to the google play store and app store?
How can I make it safer?
As Doug commented, the google-services.json (or google-services.plist file for iOS) does not contain any secret credentials. It merely contains the configuration data that your app needs to find its Firebase project on the servers. So sharing it with other developers on your app is not only safe, it's required for them to build an app that communicates with the same Firebase project.
You may want to consider keeping it out of version control though, and instead only deploy it onto your build server. The reason for this is not as much that that data is secret, but more that each developer should typically set up their own Firebase project for their development work. That way they won't be stepping onto each other's toes during feature development work.
Also see:
Is it safe to expose Firebase apiKey to the public?
Should I add the google-services.json (from Firebase) to my repository?
For logging purposes I´d like to print to console or even display the current deploy ID (or message) of my firebase web app that is being accessed by the browser.
Firebase Hosting recently released a new REST API. You can use sites.releases.list to see what version is currently deployed.
Old answer:
Firebase deploy IDs don't appear to be available anywhere via programmatic access. The CLI doesn't support listing current or previous deploys.
My recommendation would be to go in the other direction. Have your source code in a vcs like git. When you build and deploy a new version set the vcs hash or version in the deployed code and as the message for firebase deploy. You can then log the log the source version in your code and you can manually associate that back to a release in the Firebase UI.