I've noticed that around 23 August 9PM GMT+03:00 get object requests to a bucket originating from Asia or South America started failing with the error message below.
{
"error": {
"code": 403,
"message": "Permission denied."
}
}
I made public read/write allowing firebase storage security rules to a specific object path for testing purposes so that cannot be the culprit. I'm currently in EU region and everything works fine but if I enable a VPN and do Asia region I won't be allowed access, even if I attempt to access through an EU VPN location everything will work fine.
I use firebase client SDK version 9.6.11, and also interestingly I don't receive the permission error for uploadCalls. It is specific to getMetadata or getDownloadUrl [1] calls.
[1] https://firebase.google.com/docs/storage/web/download-files#download_data_via_url
Below is the code that'll fail with permission denied error if request comes through the regions I've mentioned, after a lot of digging I figured that this only fails if the object in question has custom metadata set.
// firebase client sdk
const storageRef = storage.ref(queryPath);
const url = await storageRef.getDownloadURL()
// this block is executed through firebase admin sdk
const metadataObject = {
metadata: {
fileTimestamp: Date.now(),
// and few other fiels
}
}
bucket.file(`queryPath`).setMetadata(metadataObject)
Again to reiterate, an object having a custom metadata set won't cause any issues if frontend storage SDK get request is from a user in Europe or North America. If I setMetadata as null, all requests will be allowed once again which was incredibly odd behavior to me.
Apparently this was caused by an issue on GCP's end. This was what google cloud dev support followed up with. I've been still experiencing this issue intermittently but way less frequently.
I have contacted the Firebase Engineering team regarding the issue and
have an update from the product team informing that they completed a
rollback in Firebase Storage, could you please confirm if the issues
with 403's still persist?
Related
I'm using Firebase Storage to keep some files of my App. Suddenly I started to get an SSL errors on both iOS and Android platform and no idea what's the issue.
iOS :
NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://firebasestorage.googleapis.com:443/v0/b/XXXXX.appspot.com/o?delimiter=/, NSUnderlyingError=0x600002e81440 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStr
FLTFirebaseStorage: An unknown error occurred while calling method Reference#listAll
Android :
V/NativeCrypto(16839): SSL handshake aborted: ssl=0xbd081f68: Failure in SSL library, usually a protocol error
V/NativeCrypto(16839): error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (third_party/openssl/boringssl/src/ssl/tls_record.cc:242 0x9b4e9d4c:0x00000000)
W/NetworkRequest(16839): error sending network request GET https://firebasestorage.googleapis.com/v0/b/XXXXXX.appspot.com/o
According to our investigations, USOM (National Cyber Incident Response Center) seems to block firebase cloud storage services. The issue is interestingly seemed to be related more with Turkish Government rather than Firebase. This explains why VPNs still work for accessing your files. ISP is blocked by the government in order not to reach storage services of google. I think someone (may be a responsible team in Google) need to reach them and illuminate that their action is weird and they should not block whole storage service for preventing an access to a file which they think is illegal..
Here you can check the block list:
https://www.usom.gov.tr/url-list.txt
you can search firebasestorage.googleapis.com, it is there.
I have implemented Firebase storage put method to my nextJs App in order to upload pictures on Firebase Storage.
When I tested this method on my localhost, it worked like a charm but when i came to production, Firebase returned me a non verbose error :
"the server responded with a status of 405 ()"
or " cannot post 405' " on my Antd Design graphic Library
the weirdest is that response is irregular.
From the form url, it always respond this 405 error but if i try from the form component mounted in another url, it works, and in another context, sometimes it works sometimes it doesn't.
It is very hard to understand what happen and I can't find any lead on the Internet.
My NextJs App is hosted on Vercel Server and I guess all is well set up, authentication work for example but I did not try to access RTDB or Firestore.
This error is intermittent so I could imagine that is not a CORS Problem, neither a token access problem, because I tried without token access and I got an explicit error.
Thank you truly to dedicate some of your time to help me figure it out.
Have a nice day.
Example of my very "classic" method from Firebase documentation :
firebaseApp
.storage()
.ref(`pictures/${file.name}`)
.put(file.originFileObj)
.then(() => {
console.log("Picture uploaded")
})
.catch((err) => {
console.log(err.message);
});
After running the following line in node-js:
import * as admin from "firebase-admin";
import * as serviceAccount from "../../firebase_service_account_key.json";
const app = admin.initializeApp({
credential: admin.credential.cert(serviceAccount as any),
databaseURL: "https://my-app-path.firebaseio.com"
});
admin.messaging().send({
token: "known-good-token",
notification: {
title: "Test Push Note",
body: "Here is some text"
}
});
I'm getting the error:
Error: Auth error from APNS or Web Push Service
Raw server response:
"{
"error":{
"code":401,
"message":"Auth error from APNS or Web Push Service",
"status":"UNAUTHENTICATED",
"details"[
{
"#type":"type.googleapis.com/google.firebase.fcm.v1.FcmError",
"errorCode":"THIRD_PARTY_AUTH_ERROR"
},
{
"#type":"type.googleapis.com/google.firebase.fcm.v1.ApnsError",
"statusCode":403,
"reason":"InvalidProviderToken"
}
]
}
}"
I've added an "APNs Authentication Key" to my ios project under the Settings > Cloud Messaging section of Firebase. I've also properly downloaded and imported my service account json file.
In terms of research, I've tried looking up the errors.
For the InvalidProviderToken error, this answer seems to indicate I'm using an old token. This is totally possible, but the logs on my app and database appear to match, so it seems off.
As for the THIRD_PARTY_AUTH_ERROR, google gave me no hits. The closest thing I found was this, and the following text might be the culprit (EDIT: it's not the issue):
auth/unauthorized-domain
Thrown if the app domain is not authorized for OAuth operations for your Firebase project. Edit the list of authorized domains from the Firebase console.
Does anyone have anymore details on this error which might help me get to the bottom of it?
This error arises if your app setup for iOS has an error in any one of the following:
Found in Settings > General > Your Apps > iOS Apps:
App Store ID
Bundle ID
Team ID
When adding an APNs key (Uploading to Cloud Messaging > APNs Authentication Key):
Team ID (should auto set based off ios app info above)
Key Id (often is in the name of the key, best to grab when creating it)
Everything worked for me the other day, so all setup was fine. But today I got this error.
Here's what solved it for me:
Revoked APNs Key
Created new one and downloaded it
Deleted old one and Uploaded it to Firebase Dashboard / Settings /
Cloud Messaging
Gone to Settings / Service Accounts and generated new private key
Added it to my Cloud Functions project (renamed it to
service-account.json in my case)
Saved the files and deployed the functions: firebase deploy --only
functions
Did you call admin.initializeApp()?
There are many official samples.
See:
https://github.com/firebase/functions-samples/blob/master/fcm-notifications/functions/index.js#L20
https://github.com/firebase/functions-samples/tree/master/fcm-notifications
https://github.com/firebase/functions-samples
https://github.com/firebase/quickstart-js/tree/master/messaging
I had the same issue. The culprit was lowercase APNs teamId. Changing it to capital solved it.
Double check if you have uploaded your apns key on firebase console. That was my case.
I can successfully use the Realm GraphQL Client with a realm path like myInstance.us1.cloud.realm.io/~/realmName but when trying to use a global path, i.e., myinstance.us1.cloud.realm.io/realmName, I always get a 502 response from the server.
Any thoughts?
TLDR;
I have been fighting with getting data from a global/shared realm, i.e., no /~/ in the realm path with no luck. I always get a 502 Bad Gateway in response to executing a query. If I add the /~/ to the realm path, a connection is established and a new and empty user-specific realm is created (as expected) but then queries fail because the realm is empty (also expected).
Does the GraphQL Service provided by Realm Cloud support connecting to global/shared realms? I’ve skimmed over the source for both the server and client and did not see any specific reason why global/shared would not be supported.
I also tried passing isQueryBasedSync to the GraphQLConfig which results in a connection and successfully executed query, but the query responses are always empty
Any advice is greatly appreciated.
I got past the 502 Bad Gateway error using the undocumented API(s) shown below (I had to find them by reading the current code in the realm-graphql repo):
const credentials = Credentials.usernamePassword(<username>, <password>);
const user = await User.authenticate(credentials, <server>);
const config = await GraphQLConfig.create(user, <realm_name>, undefined, false);
const client = config.createApolloClient();
However, I now frequently receive the following error during GraphQLConfig.create execution:
network timeout at: https://.cloud.realm.io/auth
Additionally, I posted this question on the Realm Forums that you may want to follow and received the following response:
Getting a 502 in the GraphQL service usually means you were trying to open a very large Realm that runs into some resourcing limits.
I am still waiting for more information from the Realm team and will update this answer accordingly.
I am following the following Google Cloud Vision quickstart:
https://cloud.google.com/vision/docs/quickstart
This is using the API Explorer, and I get
Error Opening File
I have created a bucket named vision2018, and checked Share Publicly for the file.
My portion of the request related to the file is:
"image":
{
"source":
{
"imageUri":"gs://vision2018/demo-image.jpg"
}
}
The response I get is:
{
"responses": [
{
"error": {
"code": 5,
"message": "Error opening file: gs://vision2018/demo-image.jpg\"."
}
}
]
}
}
What do I need to specify in order to access files in my GCP storage?
Alternatively, I read other Stack Overflows that talk about GOOGLE_APPLICATION_CREDENTIALS, Simple API Key, and "Create Service account key and download the key in JSON format", ... but these seem to be giving commands in the shell, which this quickstart doesn't even open.
Is there initial setup assumed prior to the quickstart?
I am not ready to call the api from code
You might want to doublecheck your request. I went to the quickstart, replaced the placeholder imageUri with gs://vision2018/demo-image.jpg and it worked just fine. The error message you posted is what would be displayed if you had given gs://vision2018/demo-image.jpg\" instead.
Regarding the second part of your question: these are authentication methods. In this particular case, under Authentication you will find a drop down which lets you chose between API key and Google OAuth 2.0. If you chose the former, you don't need to do anything as a demo key will be used just for the purposes of the quickstart. If you chose OAuth 2.0, a popup will appear prompting you to authenticate with a google account. All in all, what you need to do is follow step-by-step the instructions given by the quickstart.
I was receiving a similar JSON response from the Google Vision API:
"error": {
"code": 7,
"message": "Error opening file: gs://bucket/file.jpg."
}
The fix was to set the GCS file's permission to public-read:
gsutil acl set public-read gs://bucket/file.jpg
Finally I investigated what happened. The problem is that your API token is only grant for process the image (allow right to use OCR engine), but that API is not also for accessing object in GS.
Therefore "message": "Error opening file:
The problem is similar with this post:Authorize Google Cloud Vision API to Google Storage image Maybe the error message is a bit dumb than many years ago.
The solution also mentioned in the answer section, but if you want some thing more clear (expose security side-effect) here it is: Set GCS read-only public
Reason I want to keep using API because it's better for use it in mobile application, we cannot give the OAuth2.0 to any phone. However, still find a way to secure the read-public bucket.