14. As an engineer, I want my firebase credentials to be secure

[ksiman14]

Note: This issue should only be addressed if the rest of the issues have been resolved at the end of the project.

AC

• Credentials should be concealed using a .env file and not explicitly shown in the public repository

[luisaugusto]

Hi Kelsey! I just wanted to add some notes on what would need to be completed if we wanted to use environment variables:

1. Each developer would have to create a local .env file in the root directory of the project, and add that file to the .gitignore
2. Add each value from the Firebase configuration into the .env file, prepending the keys with REACT_APP_
3. Add the firebase keys/values to Github as project secrets (⚠️ we would need to get admin access to the repository)
4. Setup the Github workflows to use those secrets so that the application can be built and deployed to Firebase with them

Since the keys we are using are publicized in the build process and access to the Firebase store is guarded by a configuration in Google's Cloud Console, this would just be a good learning exercise since it is safe to keep these keys in the repository anyways.

But let's say that we did run into a situation where we accidentally exposed private keys in our repository, Github has a great guide on how to purge a file and its history so that the vulnerable code is no longer in the repo 🔥