Move hardcoded Firebase API key to environment configuration #381
Description
Description
The Firebase API key is hardcoded directly in src/server/app.ts (line 248):
const firebaseRestClient = createFirebaseRestClient({
apiKey: 'AIzaSyConH72HQl9xOtjmYJO9o2kQ9nZZzl96G8',
emulatorHost: process.env.FIREBASE_AUTH_EMULATOR_HOST,
});Previously this key was also hardcoded in src/app/App.tsx, but now that Firebase auth has moved server-side, only the server copy remains. The key should come from an environment variable or configuration file rather than being embedded in source.
Why it matters
- Maintainability: Changing the key (e.g., for a different Firebase project or key rotation) requires a code change and redeployment instead of a config change.
- Environment separation: Different environments (dev, staging, production) may need different Firebase projects/keys, which is awkward when the value is hardcoded.
- Best practice: Configuration that varies by deployment should live outside the source tree. While Firebase API keys are not secret (they are publicly visible in client-side apps), treating them as configuration is still the right pattern.
Component(s) affected
src/server/app.ts
Possible approach
Read the API key from an environment variable (e.g., FIREBASE_API_KEY) with the current value as a fallback default during the transition:
const firebaseRestClient = createFirebaseRestClient({
apiKey: process.env.FIREBASE_API_KEY || 'AIzaSyConH72HQl9xOtjmYJO9o2kQ9nZZzl96G8',
emulatorHost: process.env.FIREBASE_AUTH_EMULATOR_HOST,
});Context
Identified during server-side auth work on the server-side-auth branch.