I see this question has already been asked but not all that recently so I am bringing it up again.
How do you hide your firebaseConfig file, or any secret key, in an expo application? (For production, not dev).
As far as I can tell, there is no way to properly hide the firebase config file with API keys etc in a react-native expo app.
Being that I have already built my entire app around interacting with firestore, I am a bit perplexed as to how to proceed forward.
If I eject, is there a way to properly hide my API key in a non-expo react-native-app? Or will I still face the same problem? Everything is working smoothly and I would prefer not to eject.
I have some experience using node.js/express.js as a backend (only ever in a development setting). Should I build myself a server and then serve the config info from there?
If I want to deploy a 'demo' app, is there a way to hide the keys while still using expo?
Any insight into this would be so helpful.
As far as I am aware there is no 'dotenv' package compatible with expo.
Also I have zero experience in deploying mobile apps, and very little in deploying web apps. I have not yet had to deal with securing keys in deployment.
Any help would be so appreciated.
It's not possible to effectively hide your Firebase config information. The best you can do is make it more difficult for someone to find them. Since all the JavaScript code is running on a computer or device that you don't control, you can't ensure that any of it is hidden from view.
In fact, you don't need to hide any of that. I suggest reading this: Is it safe to expose Firebase apiKey to the public?
If you're using Realtime Database, Firestore, or Cloud Storage, you should be using security rules to protect data so that only authorized users can access it.
Related
I'm working on a Google Sheets add-on that needs to interact with existing web-app. The app uses Firebase for authentication. Firebase is not available as an "Advanced Google Service" and there is no official library (as well as official docs advice against using libraries in an add-on), so I'm using #firebase/auth in the client-side code.
The code is simple and the same as I'm using in the web-app (without FirebaseUI, but I've tried it as well) and because add-ons cannot use cookies or localStorage*, the Firebase cannot persist a local session.
Within the add-on we can only use Google Script Properties service, so I'm looking if there is a way to persist a session manually for the Firebase (like provide own "Storage" implementation, I've just done this for another node package I use in the add-on).
The question is mostly about Firebase and environment with no cookies/localStorage but other storage, but I may be missing some other way to use Firebase Auth with script add-ons.
Thanks for you help.
Edited: removed indexedDB, I've checked it in Console and accidentally switched from iframe to the top context, of course indexedDB is also unavailable in iframe (we should be sure the add-on works in Chrome).
* yes, we can ask user to go to the Chrome settings and select "Allow all cookies" but this is not an option for production.
I don't think there's any documented way to control the storage that Firebase Authentication beyond the picking from the options mentioned in the documentation on auth state persistence.
I think allowing you to provide a custom storage implementation would be a valid feature request, so I recommend asking for it here. I don't think the request comes up frequently though, so it may not get the priority you'd like. In that case: implementing the feature would require allowing the developer to specify their own storage in the public SDK, and then you in your project implementing your own storage provider similar to the storage providers in the SDK.
I've looked around for answers to my question, but most are actively trying to do what I don't want which is why I'm asking.
An app I'm developing for the company I work for has gone live, and so to further develop I need to use Firebase preview channels.
I've looked over the documentation and it states that channels use the same resources, which I find a little unclear.
Does this mean that preview channels are UI only and using an app on a preview channel will still write to the live database (Firestore) that customers are currently using?
If you're talking about Firebase Hosting preview channels, the only difference between each channel is the web content (html, css, js, images) that you deploy to it. The configurations for the other Firebase products (database, analytics, etc) don't change at all. You can see this for yourself by printing the active Firebase configuration in JavaScript - you should see the all the same values.
If you want to build against a different database before you push updates to production, you should instead use completely different Firebase projects to keep them separate. It's common for developers to keep multiple projects for multiple environments, such as development, staging, and production. This is the formal recommendation.
Bottom line: A Firebase Hosting preview channel just lets you try out different web assets against the same backend services. If you want different working environments to avoid disturbing customers in production, you should use different projects entirely.
I am developing an iOS/Android app with Flutter and Firebase (mainly Cloud FireStore and Firebase Auth). According to the Firebase documentation/example, they just put the API key along with the googleAppID straight into the app's source code. This to me seems very insecure, but at the same time I did hear that dart is compiled AOT. So what is the best practice for putting the Firebase API keys in a Flutter app?
Any response is appreciated!
That example is usually not followed. The key is stored in the google-services.json file or the equivalent for iOS that should be added to the project following the Firebase setup instructions. This removes the issue with people easily knowing your key. I don't believe it would matter if someone did however as the key is intended to be public.
Setup Instructions
I'm working on a product which uses Firebase as its backend. Since firebase exposes the API keys to the user so that could be a security issue. So, after doing some research I've set the database security rules along with API keys restrictions.
But, now I'm unable to use it in local development as well. I was thinking of creating another firebase project and use that as a testing environment and use the existing one as production.
Since the existing project has a lot of data and users. I want everything similar in the new firebase project as well. But I'm unable to find an efficient way to do so. Can anyone please suggest what would be the best option here? Should I create a new testing environment or is there a way to allow me to use the keys locally without it causing a security concern?
Any help would be great. Thank you for your time.
There is no specific command to replicate one project to another, but you can build the necessary functionality yourself with each product's APIs.
For porting users between projects you can use:
The Firebase CLI, which has auth:import and auth:export commands.
The Firebase Admin SDK, which has commands to list all users and import a list of users.
For transferring data between the projects, you can use the API of the relevant database to read/write the data.
After having issues with crashes in Android O and also seeing that GCM is fully deprecated we are trying to migrate to FCM. Keep in mind I did zero of the setup on this project, so I'm just trying to follow the migration guide. Our server side team is very busy right now, so I'm trying to make it as easy as I can for them.
So someone gave me owner permissions on the Google APIs dashboard for the project, where I can see that Google Cloud Messaging is enabled. So I gave owner permissions to an account we now use for all of our mobile online accounts and consoles.
Then I logged into the Firebase console, but when I click "add project" I do not have the option to import the existing GCM project, as the docs seem to say I should. It also doesn't show up for my personal work account either, even though it is also an "owner" account. I was really hoping to migrate this way so that we might not have to get new api keys.
However, I do see in the Google APIs dashboard that I can "enable" FCM from there. Will this create the Firebase project for me and if so will it generate new keys or can we use the old ones?
OR is it actually better to just create an entirely new FCM project?