I just signed up with Firebase and I created a new project. Firebase asked me for my app domain and a SHA1 debug key. I input these details and it generated a google-services.json file for me to add in the root of my app module.
My question is, should this .json file be added to a public (open source) repo. Is it something that should be secret, like an API key?
ベストアンサー1
A google-services.json
file is, from the Firebase doc:
Firebase manages all of your API settings and credentials through a single configuration file.
The file is namedgoogle-services.json
on Android andGoogleService-Info.plist
on iOS.
It seems to make sense to add it to a .gitignore
and not include it in a public repo.
This was discussed in issue 26, with more details on what google-services.json
contains.
A project like googlesamples/google-services
does have it in its .gitignore
for instance.
Although, as commented by stepheaw, this thread does mention
For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
That's why you won't see JSON files in most of our firebase repos on GitHub.
If the "database URL, Android API key, and storage bucket" are not secret for you, then you could consider adding the file to your repo.
As mentioned in "Is google-services.json safe from hackers?", this isn't that simple though.
baueric asks in the comments:
In that post he says:
The JSON file does not contain any super-sensitive information (like a server API key)
But the
google-services.json
does have entry calledapi_key
.
Is that a different api key than a "server api key
"?
Willie Chalmers III points to "Is google-services.json safe from hackers?", and adds:
Yes, that API key isn't a server API key which should never be public, so it's fine if your
google-services.json
is visible by others.In any case, you should still restrict how your client API key can be used in the Google Cloud console.
As noted by Puzz in the comments, see also "Is it safe to expose Firebase apiKey to the public?"
In that answer, Frank Van Puffelen mentions:
Update (May 2021): Thanks to the new feature called Firebase App Check, it is now actually possible to limit access to the backend services in your Firebase project to only those coming from iOS, Android and Web apps that are registered in that specific project.