I'm new to flutter and i am trying to run a chat app with getstream and firebase but i keep running into errors error im running into
Make sure that your API Key is correctly entered in your code. From your Stream Dashboard you can access your Stream app's API Key and Secret. It might be that the key you're entering is for a Stream app that was deleted, or there is a typo.
Make sure that the API key for your APP there matches exactly with what you pass into your Stream client:
final client = StreamChatClient(
'YOUR-KEY', // Make sure this is correct.
logLevel: Level.INFO,
);
I noticed in the screenshot you shared that you also have a kSecretStreamKey in your code base. Your secret key is not meant to be used in your Flutter (frontend) application. The secret key is needed to perform sensitive operations on your server (backend) - for example, generating user frontend auth tokens. If you include the secret key in your Flutter codebase, you risk a malicious actor retrieving it by decompiling your application. Your Secret Key is the equivalent of a password.
I recommend taking a look at the Stream Flutter tutorial page if you're still stuck: https://getstream.io/chat/flutter/tutorial/
Or the Stream Flutter YouTube Playlist: https://www.youtube.com/watch?v=pO_MOJRqYlk&list=PLNBhvhkAJG6t-BxkRAnSqa67lm5C1mpKk
Related
Tl;dr.. I'm making a todo app where I store data in Firestore, and I don't want anyone to see it not even the devs from firebase console. I found many encryption pkgs that do the job, like: encrypt. My problem is how to I handle the 'encryption key'. I don't want to keep it local because in my app user can access it's account from different devices, so if the key is stored locally they cannot decrypt thus retrieve their data (notes) from the other device (i hope this makes sense). So, do I send the 'encryption key' to firestore in a seperate collection or ... how should I approache this ?
You could store the key with Firebase Remote Config and retrieve it in the app when you need it.
Firebase Remote Config is a cloud service that lets you change the
behavior and appearance of your app without requiring users to
download an app update. When using Remote Config, you create in-app
default values that control the behavior and appearance of your app.
Then, you can later use the Firebase console or the Remote Config
backend APIs to override in-app default values for all app users or
for segments of your user base.
Check out the documentation for the flutter_remote_config plugin.
Summary of our problem:
We released last week our app bundle in the Huawei AppGallery.
We used the Huawei Map Kit in order to integrate Maps. However, there seems to be a problem with map kit.
We receive the error messages:
V/HmsMapKit_MapDataVersionClient_15: build request with apiKey
D/HmsMapKit_AuthenticateClient_86: response code : 401
E/HmsMapKit_TileCache_38: startUrlRequest Identity fail, do not has permission get tile. authResult :010002
What we have done so far:
Enable mapkit in AppGallery connect
Add sha256 fingerprints of the signed bundle to the app in AppGallery conncet
Build the app with agconnect-services.json
Initializing mapkit with the api key setup on the huawei developer page
Encode the API key as below: URLEncoder.encode("", "utf-8")
Tested the rc before uploading where it worked perfectly fine
As we are having troubles in identifying the cause for our problem, it would be very helpful to get further advice.
Thank you very much in advance.
Seems to be you are.using signing by AppGallery.
If so, you have to add one more SHA-256 to project settings, which you can get from application singing settings in console
According to this Docs,It's most likely caused by the following:
When localy building apk works but store submitted apk does not work, it is most likely the signing issue.
And for App bundle signing, there are 2 ways.
AppGallery Connect generates a new signature key for your new app
App Signing allows you to upload your own signature key
NOTE
Once a signature key is generated in AppGallery Connect or uploaded by you, it cannot be modified.
so depends on the approach, you might already have a signature key that is fixed already.
and it seems in this case you have your own signature key.
when we need to use upload key to sign apk before submit to AppGallery, do not use signature key to sign for upload apk, in this case, also upload key certificate and upload key to AppGallery.
need to make sure signature key certificate and upload key certificate are correct if used.
Lately Slack API recommend using Signing Secrets - but I can't find in the documentation a proper explanation how to post a message with rest api.
Is there a good example \ proper documentation or even better - a code sample of posting a message to channel using Python Requests + Signing Secret?
(Or any other language\lib + Signing Secret).
Signing Secret isn't necessary in every situation.
If you are sending massage to channel you don't need to use signing key.
As documentation said Signing Secret is used when you are receiving information from Slack.
What are signed secrets?
Slack creates a unique string for your app and shares it with you.
Verify requests from Slack with confidence by verifying signatures
using your signing secret.
Grate examples with usage of Signing Secret you can find at their github:
With socket usage
With flask server usage
But TL;DR everything what you have to do is pass secret while you are creating App object.
Something like this:
app = App(signing_secret=os.environ["SLACK_SIGNING_SECRET"], authorize=authorize)
Implementation of request verification in Python Bolt framework:
https://github.com/slackapi/bolt-python/tree/main/slack_bolt/middleware/request_verification
I'm trying to make use of an API from a local bank, which uses OAuth2 as their authorization method.
The authentication process is as follows:
User clicks on button, webview within application is launched, and user is directed to
URL A: "https://{API URL}/{constant key}/{redirect url}"
Then they have to authenticate with their banking credentials, and the next page prompts them to key in an OTP.
If this is successful, the session token will be embedded in the redirect url as such:
Redirect URL: https://{redirect url}/{access token}/{type}
How can I cache or store this access token as a variable in my flutter code so that i can use it for other API calls? I am currently using flutter webview plugin and i have no issues launching the webview and reaching the different URLs, but i can't seem to find a method to store the token.
For local storage:
You can use https://pub.dev/packages/shared_preferences which uses the native counterparts for storing preferences. Its basically a key/value store.
Wraps NSUserDefaults (on iOS) and SharedPreferences (on Android),
providing a persistent store for simple data. Data is persisted to
disk asynchronously. Neither platform can guarantee that writes will
be persisted to disk after returning and this plugin must not be used
for storing critical data.
Another alternative would be SQLite with this package: https://pub.dev/packages/sqflite
SQLite plugin for Flutter. Supports both iOS and Android.
You can of course also use the File I/O capabilities of Flutter as described in the docs:
https://flutter.dev/docs/cookbook/persistence/reading-writing-files
Another route is by using a cache manager package, which will use the cache of the app together with SQLlite in the background. Might also be a solution but files can be deleted by the OS at any point in time. See the package at: https://pub.dev/packages/flutter_cache_manager
for remote storage:
Then of course, as most of the flutter developers use firestore (https://firebase.google.com/docs/firestore) or cloud storage (https://firebase.google.com/docs/storage) from the Firebase Brand, you can easily chose to go this way. Of course then the data would be in the cloud. Dont know if that meets your security requirements.
Most likely i would prefer going the local persistence way with the first mentioned methods.
Documentation of firebase https://firebase.google.com/docs/web/setup tell us we can safely expose firebase apiKey:
Note: The Firebase config object contains unique, but non-secret
identifiers for your Firebase project.
The tutorial explains how to obtain the apiKey and insert it into the HTML code of our web app. Everyone can read that key. I would understand this is only an identification key.
But recently I received this message from google:
We have detected a publicly accessible Google API key associated with
the following Google Cloud Platform project:
[...]
The key was found at the following URL:
[...]
We believe that you or your organization may have inadvertently
published the affected API key in public sources or on public websites
(for example, credentials mistakenly uploaded to a service such as
GitHub.)
Please note that as the project/account owner, you are responsible for
securing your keys. Therefore, we recommend that you take the
following steps to remedy this situation:
If this key is intended to be public (or if a publicly accessible
key isn’t preventable):
Log in to the Google Cloud Console and review the API and
billing activity on your account, ensuring the usage is in line with
what you expected.
Add API key restrictions to your API key, if applicable.
If this key was NOT meant to be public:
Regenerate the compromised API key: Search for Credentials in
the cloud console platform, Edit the leaked key, and use the
Regenerate Key button to rotate the key. For more details, review the
instructions on handling compromised GCP credentials.
Take immediate steps to ensure that your API key(s) are not embedded in public source code systems, stored in download
directories, or unintentionally shared in other ways.
Add API key restrictions to your API key, if applicable.
In general I would say that the two sources of information are in contrast each-other. Is it true that the apiKey is "non-secret"? Reading also the related question Is it safe to expose Firebase apiKey to the public? I'm not really sure. I understand that the apiKey is enough to access the whole database if rules allow to.
First question: I wonder if I can be assured that the apiKey only gives access to the database (which can be restricted by rules) or if it gives also access to other information about the project. What about storage? The user can read files? Can write them? The key is called "web API key" so I understand is a unique identifier of the project. Before receiving the message from google I have considered it more as an identifier than a key. Since every access to the project API is a potential cost for me, the owner of the project, I understand that a key is required for billing purposes.
Second question. Since I would like to have full control of what user can access in the database my application is presenting a REST api as an interface to the database (using functions). So the user is not supposed to directly access the database. I have the following rules
service cloud.firestore {
match /databases/{database}/documents {
match /global/public {
allow read;
}
}
}
The intention is that user can only read the documents prefixed with /global/public (currently empty). So I think the database is secured. Now I wonder if I really need to expose the apiKey... Is the apiKey required for user authentication? If so, can I ignore the message from google and leave the apiKey public?