Is it safe to keep the firebase config file (with the APIkey)when deploying my mobile app (front-end react native) to the google play store and app store?
How can I make it safer?
As Doug commented, the google-services.json (or google-services.plist file for iOS) does not contain any secret credentials. It merely contains the configuration data that your app needs to find its Firebase project on the servers. So sharing it with other developers on your app is not only safe, it's required for them to build an app that communicates with the same Firebase project.
You may want to consider keeping it out of version control though, and instead only deploy it onto your build server. The reason for this is not as much that that data is secret, but more that each developer should typically set up their own Firebase project for their development work. That way they won't be stepping onto each other's toes during feature development work.
Also see:
Is it safe to expose Firebase apiKey to the public?
Should I add the google-services.json (from Firebase) to my repository?
Related
I am trying to follow the firebase-electron guide instructions documented in the readme file here:
https://firebaseopensource.com/projects/david-asher/electron-firebase/#create-a-firebase-project
But I eventually get to a step which says
It is highly recommended that you add firebase-config.json to your .gitignore file. It contains project-specific information that you do not want to check in with the app, nor should it be packaged when building your app.
I was planning on releasing my electron app on the mac / windows / linux stores. And if firebase-electron needs the firebase-config.json file variables, then is there no way to release my electron app with authentication using firebase?
My end goal is to release an electron app with login capabilities that can work on both an electron app and browser. Specifically the YouTube API for uploading videos in node.js which requires a request to be made using the user's auth token (which you can get signing in through google using firebase, but can I release an app with firebase?)
Or maybe is there a better solution / example
As per the Firebase documentation, the contents of google-services.json are considered public. These can be easily retrieved by decompiling the apk.
If so, is there a way to prevent apps from registering with my Firebase project?
I understand that the registration works on the basis of package name. While it's not possible to publish an app with a duplicate package name, for development it is very much possible.
I created a dummy app, and my dummy app successfully registered with my production project. So, looking for a way to prevent that from happening.
You should be connecting your app to Firebase Emulator for local development.
You can go to Firebase console -> Authentication tab -> Sign-in Method tab, and remove localhost from Authorized domain, that way your app will never connect to production DB.
i Already hosted a Web page Project to Filebase console using firebase deploy comment , How can i Download the Project files Now ?
firebase deploy
You can not download the project files...
That you can download is the data/files you have stored in your realtime database or firestore database.
You can switch between deploys as well, you can roll back to older deploy or to the newer depending of your needs, but you can not download any of it.
There is no blanket "code pull" from Firebase, so you will need to take a different approach for each product.
Product
How to get the code/data
Hosting
There is no API to get your hosted files back from Firebase, but you can usually get pretty close by crawling the site. See Pull lost code from Firebase Hosting deployment
Realtime Database
You can either use one of the SDKs, use the REST API (for small databases this may be as simple as adding .json to the end of the database URL), or you can set up automatic backups and get the data from there.
Firestore
You can either use one of the SDKs or REST API here too, or you get export through the console or gcloud CLI as explained here
Authentication
You can export all your users through the Admin SDK or the Firebase CLI
Cloud Functions
The closest you can get here is to copy/paste the code from the Google Cloud console as explained here: Get code from firebase console which I deployed earlier
I have firebase project in which it has 5 apps.So I have deployed firebase functions from two apps , for notifications between them, and now I have changed the package name of one of the apps that deployed the functions, so added a new app to the same firebase project and downloaded new google-services.json and added it to the flutter project in the Android studio. My question is how is it possible that even now after changing and completely new google-services.json, firebase functions are working for the app. And
how they are identifying that they belong to this app?
What happens to google-services.json file if I delete the all the other apps in the firebase project except these two apps,as some information about these apps are stored in google-services.json file?
P.S: Suggest an edit if there's anything wrong with the question
Thanks for the help in advance :)
Cloud Function are deployed to a project, and not to a specific application within that project.
So if you're using callable Cloud Functions, the client-side SDK just reads the project details from the google-services.json. It does not use app-specific configuration data.
But if you have have two apps within a project, the FCM tokens for those apps are going to be different. So you can target the users of a specific app based on their unique tokens.
For logging purposes I´d like to print to console or even display the current deploy ID (or message) of my firebase web app that is being accessed by the browser.
Firebase Hosting recently released a new REST API. You can use sites.releases.list to see what version is currently deployed.
Old answer:
Firebase deploy IDs don't appear to be available anywhere via programmatic access. The CLI doesn't support listing current or previous deploys.
My recommendation would be to go in the other direction. Have your source code in a vcs like git. When you build and deploy a new version set the vcs hash or version in the deployed code and as the message for firebase deploy. You can then log the log the source version in your code and you can manually associate that back to a release in the Firebase UI.