Should we commit firebase_options.dart file in git #7617
-
|
I have updated my project to use the new firebase_options.dart file instead of google-sevices.json. I used to not commit my google-services.json file. Should I do the same with firebase_options.dart file too, or is it safe to commit. I saw that it contains data like apiKey, appId etc. so I thought it might not be safe to commit. But also flutterfire cli saved it in my lib folder so I thought that It could be commited to git. I am a bit confused here. |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 4 replies
-
|
No one has given an answer and I have come from Google search results to here. The red flags are all over the place, so we can safely say that we MUST NOT commit this file. This file can be generated on other dev machines with simple |
Beta Was this translation helpful? Give feedback.
-
|
Here is Security checklist: https://firebase.google.com/support/guides/security-checklist |
Beta Was this translation helpful? Give feedback.
-
|
I think it is okay to commit, since FlutterFire team does so. Besides, I found an answer from Firebase team.
https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public |
Beta Was this translation helpful? Give feedback.
-
|
Understood. But when other person clones the project with this file, they will get access to our Firebase resources right? For example, they will be able to modify firestore data etc. |
Beta Was this translation helpful? Give feedback.
-
|
If you do not use security rule, they can do. So, protecting resources with security rule and app check is important! |
Beta Was this translation helpful? Give feedback.
-
|
I think it is okay to commit, too. It says "non-secret".
https://firebase.google.com/docs/flutter/setup?platform=ios#configure-firebase |
Beta Was this translation helpful? Give feedback.
-
|
As it says here: https://firebase.google.com/docs/projects/learn-more#config-files-objects "The content of the Firebase config file or object is considered public, including the app's platform-specific ID (Apple bundle ID or Android package name) and the Firebase project-specific values, like the API Key, project ID, Realtime Database URL, and Cloud Storage bucket name. Given this, use Firebase Security Rules to protect your data and files in Realtime Database, Cloud Firestore, and Cloud Storage. For open source projects, we generally do not recommend including the app's Firebase config file or object in source control because, in most cases, your users should create their own Firebase projects and point their apps to their own Firebase resources (via their own Firebase config file or object)." |
Beta Was this translation helpful? Give feedback.
-
If you want to allow the users to build the project from source then this way they can't since you didn't commit this file, also it will require more setup if you using CI to automate the app publishing or app updates or even build and test the app By building the app from source, they will get the exact same app data that you build and publish to your users so it's not an issue, it depends on your use case if you want or not but I think the official docs should include more info about this |
Beta Was this translation helpful? Give feedback.
No one has given an answer and I have come from Google search results to here.
firebase_options.dartfile is (i) a generated file and (ii) contains vulnerable information such as api key, app id etc.The red flags are all over the place, so we can safely say that we MUST NOT commit this file. This file can be generated on other dev machines with simple
flutterfire configurecommand anyways. So, it is the best to add this is.gitignorealthough I still cannot believe it is automatically added to.gitignoreon a fresh Flutter project.