0

I'm a hobby developer and have worked with Firebase a bit, but never on a production level.

One thing I never really quite understood is where do I keep my firebase credentials? I always keep the credentials in an env file, and have a firebase.js file at the root of my project in which I initialize my project, but essentially, my credentials are completely exposed to the client.

Specifically, I am now working on a React Native app (Expo), and would love to know the correct approach for working with the SECRET environment variables for production.

Aside from the Firebase credentials, I also have a few other variables that I would like to keep secret.

Tsabary
  • 3,119
  • 2
  • 24
  • 66
  • 1
    Firebase configs are never secret, and it intended for them to live in the client app. They can't work as secrets if you intent to interact with Firebase directly from your client app. The only way something can be truly secret is to make sure it stays on a backend that you fully control and never reaches your frontend, where there are no secrets. – Doug Stevenson Jul 13 '23 at 12:20
  • @DougStevenson So what prevents anyone from using them with malicious intent? – Tsabary Jul 13 '23 at 15:05
  • 1
    If you read the duplicate, you'll find out what sort of measures you can put in place to stop or deter abuse. If you still think your project is being abused, you can reach out to Firebase support for help. – Doug Stevenson Jul 13 '23 at 15:14

1 Answers1

0

You can still keep them in a .env file, then add the .env extension to .gitignore so it will be safe and won't upload anywhere, for this approach you might try these;

https://www.npmjs.com/package/react-native-dotenv

https://www.npmjs.com/package/react-native-config

and for more information about gitignore you might check these;

Ignore files that have already been committed to a Git repository

Ignoring .env files in my project with .gitignore

ihsnktmr
  • 198
  • 1
  • 11