0

I created a project with reactJS and firebase and saved the project to GitHub repository. And I imported the project with GitHub and created a domain with netlify.

And I want to make the firebase database URL not public through GitHub. However, if you make the project files invisible with gitignore, netlify will have problems. Also, if you set the rules as ".read": false, ".write": false, netlify gives an error.

So I don't know how to prevent the firebase database URL from leaking through the GitHub repository and not causing problems with netlify.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Songkail
  • 27
  • 2
  • You might want to read https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public/37484053#37484053 – Frank van Puffelen Apr 07 '23 at 13:21
  • If you are publishing an app to the world that accesses Firebase, you can't possibly hide the URL because the client app always needs it to connect. It's not private data, but you don't have to commit anything to your source control. You should rely on security rules to make sure the user only has access to the data you want them to use and not worry about the URL at all since it's going to end up in the client app somehow. – Doug Stevenson Apr 07 '23 at 15:57

1 Answers1

0

It is possible to use Private Github repositories with Netlify:

enter image description here

Alternatively, you can allow Firebase database reads only if a user has special claim role, for example, admin role in firestore.rules:

{
  "rules": {
    ".read": "auth != null && auth.token.admin == true",
    // Forbid write
    ".write": false;
}

It will require to add these claims once to users:

const firebaseAuth = getAuth(firebaseApp);
const user = await firebaseAuth.getUserByEmail('email');
await firebaseAuth.setCustomUserClaims(user.uid, {
   admin: true
});
Artur A
  • 7,115
  • 57
  • 60
  • You are showing an example for Firestore here, but the question was tagged Realtime Database, which is a different database. And I don't really see how this answers the question of hiding the database URL. It's not really possible to do so in a client app that's published to the world. – Doug Stevenson Apr 07 '23 at 15:59
  • Thank you @DougStevenson, updated the example for Realtime Database. – Artur A Apr 10 '23 at 17:59