Should I add the google-services.json (from Firebase) to my repository?
GitVersion ControlFirebaseGit Problem Overview
I just signed up with Firebase and I created a new project. Firebase asked me for my app domain and a SHA1 debug key. I input these details and it generated a google-services.json file for me to add in the root of my app module.
My question is, should this .json file be added to a public (open source) repo. Is it something that should be secret, like an API key?
Git Solutions
Solution 1 - Git
A google-services.json
file is, from the Firebase doc:
> Firebase manages all of your API settings and credentials through a single configuration file.
The file is named google-services.json
on Android and GoogleService-Info.plist
on iOS.
It seems to make sense to add it to a .gitignore
and not include it in a public repo.
This was discussed in issue 26, with more details on what google-services.json
contains.
A project like googlesamples/google-services
does have it in its .gitignore
for instance.
Although, as commented by stepheaw, this thread does mention
> For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
That's why you won't see JSON files in most of our firebase repos on GitHub.
If the "database URL, Android API key, and storage bucket" are not secret for you, then you could consider adding the file to your repo.
As mentioned in "Is google-services.json safe from hackers?", this isn't that simple though.
baueric asks in the comments:
> In that post he says:
> > The JSON file does not contain any super-sensitive information (like a server API key)
>
> But the google-services.json
does have entry called api_key
.
Is that a different api key than a "server api key
"?
Willie Chalmers III points to "Is google-services.json safe from hackers?", and adds:
> Yes, that API key isn't a server API key which should never be public, so it's fine if your google-services.json
is visible by others.
>
> In any case, you should still restrict how your client API key can be used in the Google Cloud console.
Solution 2 - Git
From this discussion it seems you can add it to a public repo. Its content ends up in the APK anyway and is probably easy to extract.
Solution 3 - Git
responding @Yaron last comment. based on my limited knowledge and use of firebase.
in firebase project console (where you download google-services.json) and get the API key. you put the app ID and also you provide an SHA certificate. so for the request to work it needs to be from the app corresponding with the same app ID and certificate.
so there is no 2end key in the codebase to hide. The back end verify.
Solution 4 - Git
It says the content of this file is public in the Firebase Documentation:
The content of the Firebase config file or object is considered
public, including the app's platform-specific ID (Apple bundle ID or
Android package name) and the Firebase project-specific values, like
the API Key, project ID, Realtime Database URL, and Cloud Storage
bucket name. Given this, use Firebase Security Rules to protect your
data and files in Realtime Database, Cloud Firestore, and Cloud Storage.