#Hello I have an extremely basic question

Currently, it appears that the app is authenticating with the firebase-rules service account, based on the fact that I can see logs where the app is trying to conneft to firestore and that is the identity it is using. Where is that coming from? I'm assuming we have a json file somewhere that has the credentials for that firebase-rules user, or something that is acting as that account.

or is it this step, the developer runs "firebase login" locally and that creates the necessary credentials? https://firebase.google.com/docs/flutter/setup?platform=ios

Or maybe it's this part that does it? Since that's where you have to select a project and and app and all that.

And the point about that is that those can be reverse engineered from the code you publish on the stores, or even the web access. But without proper auth, they won't get to anything that isn't wide-open public, so make sure most of your data is locked down to auth users only.

Those creds merely identify you to google as one particular application, to know what auth tables to then further authorize with.

does that help?

Oh, duh, I'm talking to a cloud GDE. Nevermind. 🙂

but that's the language you would use with a flutter user. 🙂

And yes, the flutterfire tools register a firebase project and create a .dart file with the credentials, for either a mobile or a web app.

I think I'm realizing that the app itself deosn't really have an identity, it simply uses the user's identity if they are logged in otherwise it has no identity.

so I have to grant he user access to read or write to the database via the firebase-rules rather than granting the app access to write to the datbaase.

I'm used to python, so my app would be running on the sserver and it would have a service account and it would use to call the databases. but this is javascript so the credentials are the user's credentials instead of the app's.

Correct. The app "credentials" are just to select which auth table gets used to verify the user which then gives access to a particular dataset.

that's pretty much how firebase has always worked, even before it was a google product.

Yeah I realized after I posted this that my question is really more about how firebase works and if I had understood that then the part of how flutter does it would have been more obvious. It needs the project id and the APP idea and some kind of clientid/secret that can be used to authenticate a user but then it uses the user's credentials to do api things after that.

I have another super novice question! The app we are building is meant to be pushed to the ios and android stores. But some of us think it would be nice to have a web version we can poke at while the app is being developed.

Is that something I could deploy on a cloud run instance and put an IAP or something in front of it, to test out the behavior of the app?

Or do we need to push it to the app stores for beta testing in order to touch/feel the app? Currently only the developer can see the app on their desktop.

You can publish to google cloud for relatively free

so I can basically take the code from this github repo and deploy it in a cloud run or app engine flex instance or something? and it should work? even if it's not optimzed for web ?

The developer I'm working with hasn't done any of that before so I'm trying to basically take his repo and deploy it so I can see the app in action.

if you're not using anything that is absent on web, you just publish to web, as indicated on flutter.dev

https://docs.flutter.dev/deployment/web

"Deploying to firebase hosting"

lovely, thank you sir! you are a gentleman and a scholar.