exer_log icon indicating copy to clipboard operation
exer_log copied to clipboard

Published 20 hours ago verified publisher icon EXERLOG

API key restrictions

Open k-rokicki opened this issue 2 years ago • 7 comments

Since you've included your google-services.json file in the repo, which contains your API key: https://github.com/KalleHallden/exer_log/blob/3893b56325da513b9fff304d97911d6b58509979/app/exerlog/android/app/google-services.json#L38-L42

you might want to consider adding restrictions to this key:

https://stackoverflow.com/a/57067722

Also, remember: once you publish your key, you can no longer treat it as private, even if you remove it from the repo.

k-rokicki avatar Aug 05 '22 11:08 k-rokicki

This should be added to the .git ignore and invalidated by @KalleHallden. Security wise this should never be public.

HacDan avatar Aug 06 '22 15:08 HacDan

Well, not really - as mentioned in the SO thread above:

When using the plugin the way Google intends you to, it will unfortunately be easy for anyone unzipping your APK to get hold of your Firebase/Google API Key.

The API key becomes public as soon as you publish your app to Google Play, so I believe the way to go is to set key restrictions properly.

k-rokicki avatar Aug 06 '22 15:08 k-rokicki

About adding google-services.json to .gitignore - I agree if the documentation mentions that this file should be placed in that directory, otherwise I would leave the file where it is, possibly with credentials set to ""

k-rokicki avatar Aug 06 '22 15:08 k-rokicki

I was referring to a little farther down the thread.

Also note that, although they are public for your application, these files should not be made available on public repositories of open source projects.

Edit: Markdown support on mobile is horrible.

HacDan avatar Aug 06 '22 15:08 HacDan

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 21 '22 12:09 stale[bot]

Actually the auto generated firebase keys do not need to be restricted generally. There are a few cases where restriction is recommended though. See the following documentation. https://firebase.google.com/docs/projects/api-keys#apply-restrictions

justChris avatar Sep 25 '22 19:09 justChris

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 10 '22 20:10 stale[bot]