0

I see this question has already been asked but not all that recently so I am bringing it up again.

How do you hide your firebaseConfig file, or any secret key, in an expo application? (For production, not dev).

As far as I can tell, there is no way to properly hide the firebase config file with API keys etc in a react-native expo app.

Being that I have already built my entire app around interacting with firestore, I am a bit perplexed as to how to proceed forward.

If I eject, is there a way to properly hide my API key in a non-expo react-native-app? Or will I still face the same problem? Everything is working smoothly and I would prefer not to eject.

I have some experience using node.js/express.js as a backend (only ever in a development setting). Should I build myself a server and then serve the config info from there?

If I want to deploy a 'demo' app, is there a way to hide the keys while still using expo?

Any insight into this would be so helpful.

As far as I am aware there is no 'dotenv' package compatible with expo.

Also I have zero experience in deploying mobile apps, and very little in deploying web apps. I have not yet had to deal with securing keys in deployment.

Any help would be so appreciated.

Chelsea Angelena
  • 35
  • 1
  • 8

1 Answers1

1

It's not possible to effectively hide your Firebase config information. The best you can do is make it more difficult for someone to find them. Since all the JavaScript code is running on a computer or device that you don't control, you can't ensure that any of it is hidden from view.

In fact, you don't need to hide any of that. I suggest reading this: Is it safe to expose Firebase apiKey to the public?

If you're using Realtime Database, Firestore, or Cloud Storage, you should be using security rules to protect data so that only authorized users can access it.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Okay great, thank you! I had read that but was still feeling a little unsure as this will be my first attempt at deploying anything using firebase (or expo). – Chelsea Angelena Oct 16 '20 at 23:42
  • In your opinion, do you think I should make the rules more specific (keeping in mind this is really just meant as a demo app, it's unlikely anyone I don't know will even look at it). Currently my rules are set up for all authorized users to have read/write access. I only have email/password login set up (and I'm not currently verifying emails). – Chelsea Angelena Oct 16 '20 at 23:50
  • It's completely up to you how much security you want or need in your app, and how to define it. – Doug Stevenson Oct 17 '20 at 00:10