I'm trying to get a list of topics subscribed to via the firebase API.
My firebase project has an api-key, which is known to the client. The client has also generated a messaging-token (which I guess is really a google iid). So both are public information.
I am attempting a GET to the following url (based on these google iid instructions)
https://iid.googleapis.com/iid/info/<messaging-token>?details=true&Authorization:key=<api-key>
I also have a header Authorization:key=<api-key> as the instructions are little ambiguous
I am getting 401 responses.
I have done this a few months ago but then I had to provide a secret server key, which the firebase UI described as legacy then, and which is now not available. There is a private key in the UI but that also results in 401s.
What do I need to do?
Related
I'm learning Flutter myself and need some expert guidance on the right way to do what I want.
I would like to allow the user of my Flutter application to securely send some sensitive data (e.g. email, phone number, name etc.) to my PHP based website (with REST API) and then, after some time, I would like to send a reply (e.g. . text) from my website to the sender's device and displaying it on the User's screen.
I suspect I should use Firebase Cloud Messaging for this - am I right?
I found tutorials that explain how to send data from Flutter-> FCM and from PHP(curl)-> FCM. But I can't find the tutorial explaining how to send data from Flutter-> FCM-> PHP?
Firebase Cloud Messaging is typically used to send messages from the server to the application, when the user may not be actively using it. While it can be used to send messages from the client to a server, it is much less common for that.
That's because calling a PHP API from your Flutter app is no different than retrieving any data from the internet, and can be accomplished in a multitude of ways. One of the simpler approaches is documented in Flutter's fetching data from the internet page and uses the http package.
I received an alarming email from Google a couple of days ago stating that:
[Action Required] Firebase services for your application are malfunctioning due to Application restrictions
I have a Vue based website that uses Firebase for Authorization of users and storing files they are uploading. When I configured the API key that I set up, I restricted this key on the application level, to only work from the address of my website.
I did not impose any API restrictions - Under API Restrictions the radio button with Don't Restrict Key is marked
Having said that, when I try to use my website, I get the following error:
[403] Requests from referer [WEBSITE] are blocked.
The email I got from Google stated that:
Firebase SDK updates on February 27, 2020 (Android) and January 14, 2020 (iOS) replaced the Firebase Instance ID service with a dependency on the Firebase Installations API.
As a result, Firebase services like Firebase Cloud Messaging will malfunction for users who installed your app after it was released with updated Firebase SDKs. Additionally, repeated failing requests to Firebase may slow down the end-user experience of your app.
Application restrictions you have applied to the API key used by your Firebase application need to be updated to allow your application to use the API key.
Inside this mail, there were the following instructions:
Open the Google Cloud Platform Console.
Choose the project you use for your application(s). Open APIs &
Services and select Credentials.
Click Edit API key for the API key in question.
Scroll down to the Application restrictions section.
Change the radio button to None, and click Save, or add your
application to the list of allowed Android apps, iOS apps, or HTTP
referrers, respectively.
If the radio button already shows None you may be looking at the
wrong API key.
You can check which API key is used for the Firebase Installations
API by looking at the service usage page for your project.
Since I do not have any API restrictions and there is also no other API key that I have, I don't understand how to solve this situation.
One option that works is having no application restrictions, but I don't think that is the correct solution.
I also tried changing the API Restrictions to allow only the services from Firebase that I am using, but that did not fix the problem.
Any help or direction to a solution, will be appreciated.
I am building some internal API for my apps/website with Firebase Functions. Internal API as in to let my apps/website to process something on server side, its doesn't mean to open to public use.
My Apps is built with ionic and website is built with angular.
I noticed the one of Firebase Functions Pricing calculation include "Invocations". Is that Invocations means every time when I call the API equal to 1 Invocation? If yes, then the API might be abused by end user, since they able to view the website source and found the API.
I been searching solution in google, some of them suggest to enable authentication and cors, to avoid abuse of the usage. But authentication and cors still counting the Invocations right?
My code structure:
client call API by get/post method, pass user TOKEN that get from Firebase Authentication
request reach the Firebase Functions
server will check the preflight info by using CORS, as well as validate the TOKEN.
Return error if didn't pass on the (3), else proceed to execute the function.
So I assume if end user inspect my web source code and get the API URL, they can simply spam my API right? Then my bill will burst because of the load of Invocations.
If you suspect that your project is being abused, which is always possible, contact Firebase support to work towards a resolution.
When I try to send Get Request in Postman in the Url
'https://iid.googleapis.com/iid/info/IID_TOKEN', it gives me Internal Server Error.
The IID_TOKEN I get is from FCM (Firebase Cloud Messaging) Server Key.
The YOUR_API_KEY I get is from FCM (Firebase Cloud Messaging) Legacy Server Key.
Am I sending the correct IID_TOKEN and YOUR_API_KEY? Or is it any authorization that I have not done?
Please help me on this.
Thank you.
How you obtain the IID_TOKEN depends on the client SDK you are using. In the Cloud Messaging Guide, the section for each client SDK (e.g. iOS, Android, Web, etc) has a topic titled Send Your First Message with a step describing how to obtain the registration token. For example, the Android description says to use FirebaseInstanceId.getInstance().getToken().
From your post, it sounds like you are using a server key, which is not correct.
There is an example GET request in the documentation.
In Firebase console under Project Settings/General beneath the Project ID field there is a Web API key :
Where is this used? I know that the Server key found under Project Settings/Cloud Messaging is used as Authorization key to make calls to the firebase console:
I have also noticed that in google-services.json ther is an "api_key" property that has a "current_key" value which is different from both keys that I have mentioned. What is that key?
From my answer here:
current key - nothing is explicitly stated anywhere in the docs where it is used, however, among the 3 services where the google-services.json was originally used for before Firebase (Google Sign-in, Analytics, GCM), I'm guessing it would be between Google Sign-in and Analytics. As also mentioned by #DiegoGiorgini here:
The api_key value in google-services.json is not used by FCM. (it is used by other Firebase libraries)
So it can be for a separate Google non-Firebase or Firebase service.
Web API Key - this one I haven't had a chance to use before. However, I've seen other posts wherein this specific API key is used often on Web apps related to Firebase (possibly also for Auth purposes?), but I'm not entirely sure.
Server Key - as per the docs:
A server key that authorizes your app server for access to Google services, including sending messages via Firebase Cloud Messaging.
current_key (as per the docs) is the Android key auto-created by Firebase when creating a Firebase Android App. It's NOT used to control access to backend resources. Instead, it's used to identify your Firebase project when interacting with Firebase/Google services. Specifically, it's used to associate API requests with your project for quota and billing.
Web API Key (as per the docs): can be used to authenticate users by passing its value to the key query parameter in several API endpoints, e.g., sign up or sign in using email & password, generate refresh token, etc.
Server Key (as per the docs): is a server key that authorizes your app server for access to Google services, including sending messages via the Firebase Cloud Messaging legacy protocols.