I made an IONIC project which can be authenticated with Facebook and Google and i put config file(in the picture) in the app.module.ts
Is app.module.ts only seen by the developer?
Can user see this config file when user makes apk to code this project ?
Is this a bug that i made ? Do i have to make API for this ?
This can all be made public (client-side). This is intended for client configurations. If you look under the web section in the Firebase console you'll see that they tell developers to paste that in their client-side (JavaScript SDK) code.
If you follow the Installation and Setup guide for @angular/fire, they keep it in the /src/environments/environment.ts. I'm not sure if that's the recommended place to keep any front-end configurations in the App.
People have mixed opinions about it. You might want to read through this answer to know more.
I think making an API call would make it more prone to sniff and hack. Someone could see your Network Requests and get a hold of the response payload for that matter.
No, it's NOT SAFE to keep Firebase Config in environment.ts or environment.prod.ts.
As of now, AngularCLI only minifies the code. If you open up Devtools on your Browser, select main.hash-code-for-the-bundle.js and pretty print it, and then try to find by something like messagingSenderId, you'll be able to see it.
NOTE: This is a real production app.
