Hide react-native-maps GOOGLE_MAPS_API_KEY in Bearer workflow properly for Android

Question

Hide react-native-maps GOOGLE_MAPS_API_KEY in Bearer workflow properly for Android

Closed this issue 2 years ago · 3 comments

joaobispo2077 commented 2 years ago

Situtation

Today we hardcoded GOOGLE_MAPS_API into file android/app/src/main/AndroidManifest.xml and not push it to git, because if we push it, all develops will can see our SECRET. This is not a local build issue, but since we started to use github actions with an expo EAS automatic build from the app, when an automatic build runs, there is no hardcoded secret, so some screens of app only work with local builds, this it has become a bottleneck.

Example of hardcoded SECRET:

 <meta-data
     android:name="com.google.android.geo.API_KEY"
     android:value="Bjz**********mTTA"
/>

Answer 1 · 2022-10-08T14:34:59.000Z

Task

To solve this, we need to dynamically inject variables into AndroidManifest.xml when build runs.

Something like:

 <meta-data
     android:name="com.google.android.geo.API_KEY"
     android:value="(GOOGLE_API_SECRET)"
/>

To do this exists a lot of options and we've low experience with mobile development. But we are great researches.

After a fast googling, I discovered that this issue might be confused with other "well known issue" called "use environment variables", that is load your variables from some .env file or system environments. Awesome libraries can do this like react-native-dotenv (the project use this one) and react-native-config.

The project is already doing this, the goal now is load the variables AND put it into AndroidManifest.xml WHEN a build is started.

Answer 2 · 2022-10-08T15:44:42.000Z

Action

Answer some questions can speed up find the right action.

1 - Is it possible to inject environment variables into AndroidManifest.xml?

Yes, android google docs talk about this.

2 - A step back, if we already have a way to inject environment variables into the app, we could just change the SECRET of react-native-maps, is it possible to change the SECRET at runtime?

Not natively, but this react-native-maps issue shows that by react-native-config it is possible to have an environment variable that will be injected into AndroidManifest.xml after this change the build.gradle and AndroidManifest.xml.

We didn't use react-native-config, instead we chose to use react-native-dotenv to load environment variables and it wouldn't make sense to have 2 libraries installed with the same function. We are also not going to replace it because it seems that it is possible to perform the above procedure without changing the library.

3 - What is the process to inject variables into AndroidManifest.xml in React Native Bearer Workflow for Android?

In addition to the last documentation mentioned above, there are 2 questions on the Stackoverflow forum that the first talks about injecting environment variables into AndroidManifest.xml and the other about which of the build.gradle files should be changed.

Answer 3 · 2022-10-08T15:51:32.000Z

Result

Now, it is possible to do automatic builds by github actions using expo EAS build with ALL app features working well with the right secrets in Android.

Exists another procedure to do this in IOS, but for today, this is sufficient.