security: support secure env-based firebase admin configurations and ignore sensitive keys in git

whatsapp_bridge/package.json

@@ -14,6 +14,7 @@
   "author": "Antigravity Dev Team",
   "license": "ISC",
   "dependencies": {
+    "dotenv": "^16.4.5",
     "express": "^4.18.2",
     "firebase-admin": "^11.11.1",
     "puppeteer": "^21.0.0",

whatsapp_bridge/server.js

@@ -16,26 +16,54 @@ const app = express();
 const server = http.createServer(app);
 const wss = new WebSocketServer({ server });
 
-// ─── Firebase Admin SDK Configuration (Optional Background Pushes) ─────────
+// Load environment variables from .env file
+require('dotenv').config();
+
+// ─── Firebase Admin SDK Configuration (Highly Secure Background Pushes) ─────
 const admin = require('firebase-admin');
 const path = require('path');
 const fs = require('fs');
 
 let firebaseApp = null;
-const serviceAccountPath = path.join(__dirname, 'serviceAccountKey.json');
 
-if (fs.existsSync(serviceAccountPath)) {
-  try {
-    const serviceAccount = require(serviceAccountPath);
+// Support three secure options:
+// 1. Raw JSON string in environment variable (FIREBASE_SERVICE_ACCOUNT)
+// 2. Custom secure file path in environment variable (FIREBASE_SERVICE_ACCOUNT_PATH)
+// 3. Fallback local file ignored by Git (serviceAccountKey.json)
+const envServiceAccount = process.env.FIREBASE_SERVICE_ACCOUNT;
+const envServiceAccountPath = process.env.FIREBASE_SERVICE_ACCOUNT_PATH;
+const localServiceAccountPath = path.join(__dirname, 'serviceAccountKey.json');
+
+try {
+  if (envServiceAccount) {
+    let serviceAccount;
+    if (envServiceAccount.trim().startsWith('{')) {
+      serviceAccount = JSON.parse(envServiceAccount);
+      console.log('[FCM] Initializing Firebase Admin SDK via direct env JSON string...');
+    } else {
+      serviceAccount = require(envServiceAccount);
+      console.log(`[FCM] Initializing Firebase Admin SDK via custom path from env: ${envServiceAccount}`);
+    }
     firebaseApp = admin.initializeApp({
       credential: admin.credential.cert(serviceAccount)
     });
-    console.log('[FCM] Firebase Admin SDK initialized successfully using serviceAccountKey.json');
-  } catch (err) {
-    console.error('[FCM ERROR] Failed to initialize Firebase Admin SDK:', err.message);
+  } else if (envServiceAccountPath && fs.existsSync(envServiceAccountPath)) {
+    console.log(`[FCM] Initializing Firebase Admin SDK via secure custom path: ${envServiceAccountPath}`);
+    const serviceAccount = require(envServiceAccountPath);
+    firebaseApp = admin.initializeApp({
+      credential: admin.credential.cert(serviceAccount)
+    });
+  } else if (fs.existsSync(localServiceAccountPath)) {
+    console.log('[FCM] Initializing Firebase Admin SDK via fallback local serviceAccountKey.json...');
+    const serviceAccount = require(localServiceAccountPath);
+    firebaseApp = admin.initializeApp({
+      credential: admin.credential.cert(serviceAccount)
+    });
+  } else {
+    console.warn('[FCM WARNING] No Firebase Service Account found in environment or local files. Background push notifications will be disabled.');
   }
-} else {
-  console.warn('[FCM WARNING] serviceAccountKey.json not found in server directory. Background push notifications will be disabled.');
+} catch (err) {
+  console.error('[FCM ERROR] Failed to initialize Firebase Admin SDK:', err.message);
 }
 
 async function sendPushNotification(chatId, senderName, body) {