Should I add the google-services.json (from Firebase) to my repository?

前端 未结 2 1419
不知归路
不知归路 2020-11-29 00:37

I just signed up with Firebase and I created a new project. Firebase asked me for my app domain and a SHA1 debug key. I input these details and it generated a google-service

相关标签:
2条回答
  • 2020-11-29 00:58

    From this discussion it seems you can add it to a public repo. Its content ends up in the APK anyway and is probably easy to extract.

    0 讨论(0)
  • 2020-11-29 01:02

    A google-services.json file is, from the Firebase doc:

    Firebase manages all of your API settings and credentials through a single configuration file.
    The file is named google-services.json on Android and GoogleService-Info.plist on iOS.

    It seems to make sense to add it to a .gitignore and not include it in a public repo.
    This was discussed in issue 26, with more details on what google-services.json contains.

    A project like googlesamples/google-services does have it in its .gitignore for instance.
    Although, as commented by stepheaw, this thread does mention

    For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
    That's why you won't see JSON files in most of our firebase repos on GitHub.

    If the "database URL, Android API key, and storage bucket" are not secret for you, then you could consider adding the file to your repo.
    As mentioned in "Is google-services.json safe from hackers?", this isn't that simple though.

    baueric asks in the comments:

    In that post he says:

    The JSON file does not contain any super-sensitive information (like a server API key)

    But the google-services.json does have entry called api_key.
    Is that a different api key than a "server api key"?

    Willie Chalmers III points to "Is google-services.json safe from hackers?", and adds:

    Yes, that API key isn't a server API key which should never be public, so it's fine if your google-services.json is visible by others.

    In any case, you should still restrict how your client API key can be used in the Google Cloud console.

    0 讨论(0)
提交回复
热议问题