'Should I add the google-services.json (from Firebase) to my repository?
I just signed up with Firebase and I created a new project. Firebase asked me for my app domain and a SHA1 debug key. I input these details and it generated a google-services.json file for me to add in the root of my app module.
My question is, should this .json file be added to a public (open source) repo. Is it something that should be secret, like an API key?
Solution 1:[1]
From this discussion it seems you can add it to a public repo. Its content ends up in the APK anyway and is probably easy to extract.
Solution 2:[2]
responding @Yaron last comment. based on my limited knowledge and use of firebase.
in firebase project console (where you download google-services.json) and get the API key. you put the app ID and also you provide an SHA certificate. so for the request to work it needs to be from the app corresponding with the same app ID and certificate.
so there is no 2end key in the codebase to hide. The back end verify.
Solution 3:[3]
It says the content of this file is public in the Firebase Documentation:
The content of the Firebase config file or object is considered
public, including the app's platform-specific ID (Apple bundle ID or
Android package name) and the Firebase project-specific values, like
the API Key, project ID, Realtime Database URL, and Cloud Storage
bucket name. Given this, use Firebase Security Rules to protect your
data and files in Realtime Database, Cloud Firestore, and Cloud Storage.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Yaron |
| Solution 2 | mohammad aljammali |
| Solution 3 | mbonnin |