Exposed Key Help

Philomath · March 22, 2022, 6:32pm

It’s been a while since I used GitHub and, with all the work I’m putting into the learning app right now, I decided to push to GitHub. But I got a warning from GitHub via email a little while later saying that I had exposed my Google API Key. I think maybe that happened because I included my Google.plist in the push?

I’m trying to figure out how to resolve this, but I don’t know what to do. My repository is private, but recommendations are to revoke the key? I don’t know how to do that. Or what I need to do in order to include the new key(s)? for all the apps I’ve made so far.

Are API keys unique per app I create with Firebase?

Philomath · March 22, 2022, 10:57pm

So, after some research I’ve confirmed that pushing the plist file was my mistake. Don’t do that guys! I’ve learned that you can add your plist files to be ignored by version control. Which is what I should have done and what I need to figure out how to do.

I also need to revoke the key and get a new one. Then once my code is updated re-push to GitHub (and don’t push the new plist file!)

Updated questions:

Are API keys unique per app I create with Firebase?
How do I revoke an API key through Firebase?
How do I get a new key through Firebase?
How do I mark a file as ignored by version control in Xcode and/or GitHub?

Chris_Parker · March 23, 2022, 12:07am

If your GitHub repo is private then I would not be concerned about it simply because nobody but you has access to it. If the Firebase project you created is a test project then I wouldn’t be too bothered about it either.

The recommendation to not include your GoogleService-Info.plist file is really for a production project but you would not make that a public repo in any case.

Philomath · March 23, 2022, 1:29am

Thank you. I take that to mean that API Keys ARE unique per app? Now I know not to push the plist file. 🤦

mikaelacaron · March 23, 2022, 1:38pm

Yes, look at your google info plist you’ll see there’s API keys in it

Create a file called .gitignore in the same level of directory as the .git folder is. NOT in the .git folder

BUT doing this after it’s already committed is a lot harder to undo, rather than doing it from the start.

Inside .gitignore type the file name or folder you want git to ignore (not track)

If you really don’t care about your git history. You could delete the .git folder (basically your repo) and then go about initializing a new repo and make the .gitignore and “start over”

You will then have to force push to GitHub, or just delete your GitHub project and make a new one