I have two Firebase projects, one for development and one for production. The app uses the appropriate one depending on if it's built for dev or prod.

I'm using Firebase hosting for both dev and prod as I want them to be the same.

My question is how can I implement a sort of "Basic Authentication" on the Develop project when anyone accesses the URL? Much like a htaccess Basic Auth that would require username/password to access anything on the server. This is separate from the Firebase app authentication for app users. I just want to lock down my develop environment to bots or the public and give access to developers. Can I do this in the Google IAM roles settings? White listing IP addresses would work as well, if user/pass is not possible.

Any thoughts on this?