我应该将 google-services.json(来自 Firebase)添加到我的存储库中吗? [英] Should I add the google-services.json (from Firebase) to my repository?
问题描述
我刚刚注册了 Firebase 并创建了一个新项目.Firebase 询问我的应用域和 SHA1 调试密钥.我输入了这些详细信息,它生成了一个 google-services.json 文件供我添加到我的应用模块的根目录中.
I just signed up with Firebase and I created a new project. Firebase asked me for my app domain and a SHA1 debug key. I input these details and it generated a google-services.json file for me to add in the root of my app module.
我的问题是,是否应将此 .json 文件添加到公共(开源)存储库中.是否应该保密,例如 API 密钥?
My question is, should this .json file be added to a public (open source) repo. Is it something that should be secret, like an API key?
推荐答案
A google-services.json 文件是,来自 Firebase 文档:
Firebase 通过单个配置文件管理您的所有 API 设置和凭据.
该文件在 Android 上名为 google-services.json,在 iOS 上名为 GoogleService-Info.plist.
Firebase manages all of your API settings and credentials through a single configuration file.
The file is namedgoogle-services.jsonon Android andGoogleService-Info.pliston iOS.
将其添加到 .gitignore 而不是将其包含在公共存储库中似乎是有意义的.
这在 issue 26 中进行了讨论,详细介绍了google-services.json 包含.
It seems to make sense to add it to a .gitignore and not include it in a public repo.
This was discussed in issue 26, with more details on what google-services.json contains.
像 googlesamples/google-services 这样的项目确实有例如,它在其.gitignore中.
虽然,作为 评论 由 stepheaw,这个 线程确实提到了
对于库或开源示例,我们不包含 JSON 文件,因为目的是让用户插入自己的文件以将代码指向自己的后端.
这就是为什么您在 GitHub 上的大多数 firebase 存储库中都看不到 JSON 文件的原因.
For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
That's why you won't see JSON files in most of our firebase repos on GitHub.
如果数据库 URL、Android API 密钥和存储桶"对你来说不是秘密,那么你可以考虑将文件添加到你的仓库中.
正如google-services.json 是否免受黑客攻击?"所述,但这并没有那么简单.
If the "database URL, Android API key, and storage bucket" are not secret for you, then you could consider adding the file to your repo.
As mentioned in "Is google-services.json safe from hackers?", this isn't that simple though.
在那篇文章中他说:
JSON 文件不包含任何超级敏感信息(如服务器 API 密钥)
The JSON file does not contain any super-sensitive information (like a server API key)
但是 google-services.json 确实有名为 api_key 的条目.
这是一个与服务器 api 密钥"不同的 api 密钥吗?
But the google-services.json does have entry called api_key.
Is that a different api key than a "server api key"?
Willie Chalmers III 指向google-services.json 对黑客安全吗?",并补充说:
是的,该 API 密钥不是永远不应该公开的服务器 API 密钥,因此如果您的 google-services.json 其他人可以看到也没关系.
Yes, that API key isn't a server API key which should never be public, so it's fine if your
google-services.jsonis visible by others.
无论如何,您仍应限制您的客户端 API 密钥在 Google Cloud 控制台中的使用方式.
In any case, you should still restrict how your client API key can be used in the Google Cloud console.
这篇关于我应该将 google-services.json(来自 Firebase)添加到我的存储库中吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
