I am using Cypress for end-to-end testing an application, together with the cypress-firebase package. I followed the official setup instructions (using TypeScript, and the Firebase Web SDK version 9 with the compat mode).
In my tests, calling cy.login() seems to work as expected in that Cypress logs that the createCustomToken task successfully performs two HTTP POSTs with status code 200 each.
However, when visiting a page of the application afterwards, no user is logged in. In the application, the login status is supposed to be detected using Firebase's onAuthStateChanged function. It seems that cy.login() never triggers onAuthStateChanged, though.
My best guess is that maybe the auth instances used by cypress-firebase and the application code are not the same?! Is there a way to confirm this, or could there be another reason?
Happy to provide further information if it may help.
The issue was indeed related to auth instances not matching: The application was using a named instance, whereas the initializeApp code in Cypress was not naming the app (and thus relying in an app instance named [DEFAULT]).
Fortunately, cypress-firebase has support for named apps:
const namedApp = firebase.initializeApp(fbConfig, "app_name");
attachCustomCommands({ Cypress, cy, firebase, app: namedApp });
Related
I have a desktop app that will be distributed to users, and part of its code (which the user might be able to access) has to perform an API call to a third-party web service. However, this requires the API keys to be embedded into the source code, which causes some obvious security issues.
The main solution I've found while researching on the subject is to have a backend server between the user and the third-party API endpoint. So, I've been looking into Firebase for a while and it seems that this solution can be implemented using Firestore and Cloud Functions.
But, I wasn't able to find any clear examples that achieve something like this, and since I have no previous experience with Firebase or just backend programming in general, I would like to know if I'm on the right track and get more details about how to get it done, or if there are better alternatives for solving this issue. Any input is appreciated, thx.
You can use the firebase cloud functions as you mentioned. Your desktop application will be communicating with the cloud function - simple API call. Here you can find examples how to implement and deploy functions and test it locally https://firebase.google.com/docs/functions/get-started. Your cloud function will hold the API keys (it is backend so it will be secure if you dont expose it explicitly. Also the backend to backend communication is considered as secure). Finally, this cloud function will call the third party service and return some data back to the desktop app if needed. So you are on the right track, that is how the design should look like. If you need some help with cloud functions, you can also contact me directly.
I am working on a web app, which runs compute-intensive code using Emscripten's multithreaded WASM and therefore needs SharedArrayBuffers. Those only work if my app is in Cross-Origin-Isolated mode. And to enable that, I have to set the following headers on my app:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Now, I would like to use Firebase in my project - first step is to integrate Firebase's Auth. Right now, I'm using firebaseui for handling the login flow. Unfortunately, that doesn't work and when I'm starting the login flow in my browser, I can see the following message in DevTools:
Apart from the error in the network tab, I don't get any indication that an error happened (i.e. no uncaught exceptions). Without the COOP/COEP headers, everything works fine.
Is there a way that I can use Firebase's Auth in Cross-Origin-Isolated mode?
I am creating a game in Unity where the user can contribute with levels using a Level Creator system.
My application is setup in a way that I just need to call the Cloud Function with the level info, and it handles duplicate entries and saves it to Firestore. All of this works perfectly.
My question, basically, is: can I have my functions only accept calls from my game? (without having my users registered?).
Naturally, I am using functions.https.onCall((data, context) => {}). In the documentation for Firebase, I noticed they use context.auth to check whether the user is authenticated or not. However, I am logging this value to the console and it appears to be undefined.
I am also confused with this line, from the same link:
With callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests.
Maybe context.auth is not defined because my game isn't yet in Google Play / Apple Store? Any ideas?
Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to Callable Cloud Functions to only those coming from iOS, Android and Web apps that are registered in your Firebase project.
You'll typically want to combine this with the user authentication based security that Doug describes in his answer, so that you have another shield against abusive users that do use your app.
It's not possible to restrict invocations of a callable function to just one app, and it doesn't matter if the app is published to any stores. Once you deploy a function, it's accessible to anyone with an internet connection.
The best you can do is require your users to be authenticated with Firebase Authentication in your app, then check context.auth in the function to determine if the it should do what the user wants. context.auth will be undefined in the case of no authentication. If your code determines that the function should not go any further, you can return early. But the function is still invoked.
I've implemented real time remote config updates via the documentation here.
In general, it works as expected, except when it comes to experiments via A/B Testing. Changes to A/B Testing that affect remote config do not fire the update cloud function hook.
Does anyone know if its possible to have the functions.remoteConfig.onUpdate cloud function hook trigger when a change to remote config is made via an A/B Testing experiment change?
The only workaround I can think of is to have a dummy value in remote config itself that I change whenever an experiment is created/updated.
firebaser here
There is nothing built into Remote Config for that at the moment. But thanks to the integration between Cloud Functions and Remote Config, you can build it yourself.
One of our engineers actually just gave a demo for this last week. I recommend you check it out here: https://youtu.be/lIzQJC21uus?t=3351.
In this demo, there are a few steps:
You publish a change from the Remote Config console.
This change triggers Cloud Functions through a functions.remoteConfig.onUpdate event.
The Cloud Function sends an FCM message to all apps through a topic.
When an app receives this message, it shows a prompt that the configuration is out of date.
When the user clicks the "fetch" button, the app fetches the new configuration data from Remote Config.
I am building some internal API for my apps/website with Firebase Functions. Internal API as in to let my apps/website to process something on server side, its doesn't mean to open to public use.
My Apps is built with ionic and website is built with angular.
I noticed the one of Firebase Functions Pricing calculation include "Invocations". Is that Invocations means every time when I call the API equal to 1 Invocation? If yes, then the API might be abused by end user, since they able to view the website source and found the API.
I been searching solution in google, some of them suggest to enable authentication and cors, to avoid abuse of the usage. But authentication and cors still counting the Invocations right?
My code structure:
client call API by get/post method, pass user TOKEN that get from Firebase Authentication
request reach the Firebase Functions
server will check the preflight info by using CORS, as well as validate the TOKEN.
Return error if didn't pass on the (3), else proceed to execute the function.
So I assume if end user inspect my web source code and get the API URL, they can simply spam my API right? Then my bill will burst because of the load of Invocations.
If you suspect that your project is being abused, which is always possible, contact Firebase support to work towards a resolution.