Security Checklist - Before Pushing to GitHub
✅ Sensitive Files Removed
google-services.json- Firebase configuration with API keys- Status: Excluded from git tracking
- Template:
app/android/app/google-services.json.template - Action: Use template to create local copy
✅ Gitignore Updated
- Added
google-services.jsonto.gitignore - Added
*.key,*.pem,*.p12,*.jks,*.keystore - Added
.envand environment files - Added
secrets.json,credentials.json - Added
local.properties - Added Firebase debug logs
- Added API key files
⚠️ Hardcoded Credentials Found
1. Admin Credentials
File: app/lib/core/auth/auth_service.dart (Line 49)
if (username.toLowerCase() == 'admin' && password == 'admin') {
Status: ✅ ACCEPTABLE FOR DEVELOPMENT
- This is a development-only default credential
- Used for testing purposes
- Should be changed in production
- Consider adding environment-based configuration
Recommendation:
- Add comment explaining this is dev-only
- Create production configuration
- Use environment variables for production
2. Login Screen Default
File: app/lib/features/auth/screens/login_screen.dart
_passwordController.text = 'admin';
Status: ✅ ACCEPTABLE FOR DEVELOPMENT
- Pre-fills password field for testing
- Should be removed in production builds
🔐 Security Best Practices
Before Each Push
- Check for Secrets
git diff --cached | grep -i "password\|secret\|key\|token" - Verify No Sensitive Files
git status | grep -E "\.key|\.pem|\.env|secrets" - Review Staged Changes
git diff --cached --name-only
Environment Variables
Create .env.local (NOT committed):
FIREBASE_API_KEY=your_key_here
ADMIN_PASSWORD=your_password_here
Production Deployment
- Remove hardcoded credentials
- Use environment variables
- Enable code obfuscation
- Use Firebase Security Rules
- Enable API key restrictions
📋 Files to Never Commit
google-services.json- Firebase config.envfiles - Environment variables*.key,*.pem- Private keyssecrets.json- API secretscredentials.json- Service account keyslocal.properties- Local build config- IDE settings with credentials
✅ Verified Safe Files
.vscode/settings.json- No sensitive datapubspec.yaml- No API keysandroid/gradle.properties- No secretsios/Runner/Info.plist- No secrets- All Dart source files - No hardcoded secrets (except dev defaults)
🚀 Ready to Push
Status: ✅ SAFE TO PUSH
All sensitive information has been:
- Removed from git tracking
- Added to
.gitignore - Documented with templates
- Marked for local configuration
📝 Setup Instructions for New Developers
- Clone the repository
git clone git@github.com:DevelopersCoffee/airo.git - Create local configuration files
# Firebase configuration cp app/android/app/google-services.json.template app/android/app/google-services.json # Edit with your Firebase credentials - Create environment file (if needed)
cp .env.template .env.local # Edit with your local settings - Build and run
cd app flutter pub get flutter run
🔍 Continuous Security
Pre-commit Hook (Optional)
Create .git/hooks/pre-commit:
#!/bin/bash
# Prevent committing sensitive files
if git diff --cached | grep -E "password|secret|api_key|token"; then
echo "ERROR: Sensitive data detected in commit!"
exit 1
fi
GitHub Actions (Optional)
Add secret scanning to CI/CD pipeline to detect leaked credentials.
📞 Incident Response
If sensitive data is accidentally committed:
- Immediately revoke credentials
- Regenerate Firebase API keys
- Reset admin passwords
- Revoke any exposed tokens
- Remove from history
git filter-branch --tree-filter 'rm -f app/android/app/google-services.json' HEAD git push --force-with-lease - Notify team members
- Alert about the incident
- Provide new credentials
- Update documentation
✅ Final Verification
Before pushing to GitHub:
# Check for sensitive patterns
git diff --cached | grep -iE "password|secret|api.?key|token|credential"
# Verify no sensitive files
git status | grep -E "\.key|\.pem|\.env|secrets|google-services"
# Review all staged files
git diff --cached --name-only
All checks passed: ✅ SAFE TO PUSH
Last Updated: November 1, 2025 Status: Ready for GitHub Push