API-Key in jwt.cpp

[JoergTiedemann]

In the file jwt.cpp in line 156 an api key is defined
If I check this into my repo into GitHub gitguardian (gitguardian.com) checks this and I get a report from gitguardian, that it is not recommended to store api secret key's in GitHub for security reasons.
So my question:
What is this for a api key and is it required and necessary to store this in the source code ?

[mobizt]

You should consult the Google document. It does not a typical key for controlling the security which you or anyone to aware of.
https://firebase.google.com/docs/projects/api-keys?hl=en&authuser=0

[JoergTiedemann]

Ok thanks

[mobizt]

If you mean this

FirebaseClient/src/core/JWT/JWT.cpp

Line 156 in f9f3353

jwt_data.token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9";

It is the base64 encoded string of JWT header {"alg":"RS256","typ":"JWT"}.

The only thing that is security concern is the private key in the service account was used when you want admin rights access without user consent in non-UI device, which you have to include in the source code or transfer to your device by any mean which any one can hack this information even you can revoke it.

FirebaseClient/src/core/JWT/JWT.cpp

Lines 240 to 245 in f9f3353

	// parse priv key
	if (jwt_data.pk.length() > 0)
	pk = new PrivateKey(jwt_data.pk.c_str());
	else if (auth_data->user_auth.sa.val[sa_ns::pk].length() > 0)
	pk = new PrivateKey(auth_data->user_auth.sa.val[sa_ns::pk].c_str());

But you have the alternative ways of secure usage by using the short-live tokens.
https://github.com/mobizt/FirebaseClient/tree/main/examples/App/AppInitialization/Async/Callback/TokenAuth

As you know the security rules are used for security control in Firebase services, but it bypassed by admin account (service account).
In the case of admin rights, you should use your own system (server or app) as the access token provider instead of hard coding the auth credentials.

[JoergTiedemann]

Ok thanks everything is ok, didn't know that the code is just an encoded jwt header