I am developing an iOS/Android app with Flutter and Firebase (mainly Cloud FireStore and Firebase Auth). According to the Firebase documentation/example, they just put the API key along with the googleAppID straight into the app's source code. This to me seems very insecure, but at the same time I did hear that dart is compiled AOT. So what is the best practice for putting the Firebase API keys in a Flutter app?
Any response is appreciated!
That example is usually not followed. The key is stored in the google-services.json file or the equivalent for iOS that should be added to the project following the Firebase setup instructions. This removes the issue with people easily knowing your key. I don't believe it would matter if someone did however as the key is intended to be public.
Setup Instructions
Related
I am building an automation process for my app, which includes creating several new Firebase projects. (After a lot of investigation, I am sure that several projects are needed, and that it cannot be done with just one project).
I am looking for a way to create a new Firebase project from scratch, and enable Phone Auth, Cloud Firestore, and Cloud Storage, along with security rules, programmatically.
I have taken a look at the Firebase Management REST API, which indeed shows a way to create a new Firebase project and link it to an existing GCP project, but couldn't find a way to configure the project itself through the API (Authentication, Firestore, Storage, etc.).
Is there any way to create and configure a Firebase project from scratch, using an API/SDK or CI/CD of some kind?
Thank you!
Have you looked into the firebase-admin SDK? It is a backend-only API because it needs your private key to authenticate against and can therefore not be used in the app directly (shipping your private key with the app would be pretty big security issue!), but as I understand it, creating new firebase-projects is something of a backend activity for you anyway?!
Look at https://firebase.google.com/docs/auth/admin/ for the API's documentation and what you can do with it.
So after a long research, it seems that we can combine the Firebase CLI and the Firebase Admin SDK in order to achieve it.
We can create a new project using the command
firebase projects:create NEW_PROJECT_ID
And then to configure all of the necessary configurations through the admin SDK
I see this question has already been asked but not all that recently so I am bringing it up again.
How do you hide your firebaseConfig file, or any secret key, in an expo application? (For production, not dev).
As far as I can tell, there is no way to properly hide the firebase config file with API keys etc in a react-native expo app.
Being that I have already built my entire app around interacting with firestore, I am a bit perplexed as to how to proceed forward.
If I eject, is there a way to properly hide my API key in a non-expo react-native-app? Or will I still face the same problem? Everything is working smoothly and I would prefer not to eject.
I have some experience using node.js/express.js as a backend (only ever in a development setting). Should I build myself a server and then serve the config info from there?
If I want to deploy a 'demo' app, is there a way to hide the keys while still using expo?
Any insight into this would be so helpful.
As far as I am aware there is no 'dotenv' package compatible with expo.
Also I have zero experience in deploying mobile apps, and very little in deploying web apps. I have not yet had to deal with securing keys in deployment.
Any help would be so appreciated.
It's not possible to effectively hide your Firebase config information. The best you can do is make it more difficult for someone to find them. Since all the JavaScript code is running on a computer or device that you don't control, you can't ensure that any of it is hidden from view.
In fact, you don't need to hide any of that. I suggest reading this: Is it safe to expose Firebase apiKey to the public?
If you're using Realtime Database, Firestore, or Cloud Storage, you should be using security rules to protect data so that only authorized users can access it.
I want to develop a flutter app for android, ios and web. My idea was to use flutter so that I can build all of those three components with the same source code. As a DB I decided to use cloud firestore, as I thought that it would have the easiest flutter integration. For android it works great, however for web my code seems unusable.
I came across this plugin list, and it seems the only plugins available also for web are firebase_core and firebase_auth:
https://github.com/FirebaseExtended/flutterfire#available-flutterfire-plugins
So now I have the following questions:
What can I do with the firebase_core plugin? Can I access my firestore DB? (There seems to be no real documentation..)
To learn what you can do with the firebase-core plugin, have a look at the sample app for it.
Mostly it allows you to create FirebaseApp objects, which you need to create any of the other Firebase service objects (such as FirebaseAuth). So while you can't really do anything meaningful with just firebase-core, it is a prerequisite for most other Firebase services.
I have a project for both Android and iOS that's using cloud functions for same app behavior and consistent data storing. For now we were debugging apps on single database, storage and authentication.
The problem is when I switch to release variant I want functions to operate on release database, storage and auth.
I've been searching for an answer to my problem and all I've found was this: How to access multiple Realtime Database instances in Cloud Functions for Firebase
but it doesn't help too much.
Is there a way to go about that without making another Firebase project for release variant?
Ok, so basically just a while after posting this question I've found official firebase guide that helped me resolve this issue.
Short answer: no, you have to create another project in Firebase as described in guide.
I'm trying to integrate Firebase into my expo app using the react-native-firebase framework which has several advantages over the regular firebase package when it comes to react-native apps.
However, I'm running into difficulties since the instructions say I must add the GoogleService-Info.plist to ios/[YOUR APP NAME]/GoogleService-Info.plist, and expo apps don't have an ios folder from what I understand.
Am I pretty much screwed or is there a solution for this?
As the react-native-firebase documentation says, you need to eject your app if you want to use this library with expo. Be mind that eject action is not reversible. More info here and here and here.
If you use Expo and would like to use this package, you'll need to
eject. If you do not want to eject, but wish to make use of features
such as Realtime Database (without offline support) & Authentication,
you can still use the Firebase Web SDK in your project.
Today, you can't have the Firebase react-native sdk with expo. And this is not planned according to: https://expo.canny.io/feature-requests/p/full-native-firebase-integration.
So you have to play only with the javascript sdk from Firebase.
Cloud Firestore is new, it will be better for the javascript sdk for offline and sync.
The author of this thread: Fresh Detached Expo + RNFirebase not running on Android has managed to get it working with the Detached ExpoKit - so it's not a full ejection and keeps the expo features.
I have asked for the steps he took so we can see about getting something added to our docs and possibly a Detached ExpoKit version of our starter app.
See the expokit detaching docs for information about ExpoKit.
It's in progress --
https://blog.expo.io/using-firebase-in-expo-e13844061832
Using Firebase in Expo
And how we plan on adding it to the client 😁
We are super excited to announce that we will be rolling out a suite of Unimodules that will provide you with easy access to native Firebase features! initially you will only be able to use these in a detached ExpoKit App. But over time we will be working to add these to vanilla Expo.
TL;DR
Here are the modules, you will need to detach to add them for now:
App/Core
Analytics
Authentication
Cloud Firestore
Cloud Functions
Instance ID
Performance Monitor
Realtime Database
Cloud Storage
Remote Config
Firebase Cloud Messaging
Remote Notifications
Dynamic Linking
Invites
Crashlytics
Also TL;DR
Here is a boilerplate: https://github.com/EvanBacon/expo-native-firebase
Update 02-12-2021
Guys expo's eas-build is now public. You can add custom native codes and use react-native-firebase. Here is the link to a youtube tutorial. The video is short and super easy to follow. Here is the link to the docs
Previous answer
If you are using Firebase using the mobile configuration, it does not work, but it worked smoothly when I tried the web configuration. Here is the youtube tutorial. Watch from 38:20 to set up.
I managed to get a working set of react-native with redux, firestore and expo. See Code example at Github.
But it costs the offline-persistence (see https://github.com/firebase/firebase-js-sdk/issues/436). So from my point of view it costs performance, because i need to be online to get a full working app with firestore and react-native.