Do I need an .env file? What about security?
L
Luis Quiroga
Hi I'm about to finish a React-Native App, but I'm concerned about the security side of the application.
I have developed and tested my app with the @react-native-firebase library, but in all this time I have not create an .env file but I'm not sure if this libraries take care of it or if I have to create it.
Also, how am I sure that all my keys are not exposed, should I use react-native-dotenv? if so, where should I use it?
Thanks in advance.
Mike Hardy
Hi there! react-native-dotenv and discussions of environment management are separate from react-native-firebase really. This module requires the GoogleServices plist/json files to be included (somehow, dotenv or any other mechanism you like) and those files do include application identifiers. They do not include API keys though, the APIs accessed by react-native-firebase via the underlying firebase-android-sdk/firebase-ios-sdk libraries rely on user tokens that are granted after authentication. Security is provided by applying the necessary security restrictions to the APIs via the firebase web console (or firebase-admin-sdk using a firebase.json file). Which is a long way of saying: react-native-firebase is not really related to your security surface area, restrict access using security rules as specified in the main firebase docs. Manage different environments however you like