We got a weird case where some users are reporting being blocked from being able to connect to our website which has a Firebase backend.
When the users look at there dev console it firing out ERR_CERT_DATE_INVALID attached to the database point which doesn't make a lot of sense to us why the database would be having what I though is SSL error and only for some users.
I've attached the users are seeing about but haven't been able to repo the issue ourselves
Related
BACKGROUND INFO
I have developed an application in R through the shiny package, and deployed it online through the shinyapps.io service.
Among its different functions, the shiny app can send emails (through my personal Google Account) to users if the fill a form. The emails are sent through the functionalities of the gmailr package, and to make it work I had to follow the procedure on the Google Cloud Platform to create a JSON token, configure the OAuth consent screen, and store the credentials I obtain in a folder of my R project. All the steps to this process are reported at the end of this GitHub issue I opened a while ago.
THE PROBLEM
The JSON token I generated on the Google Cloud Platform expires after some days.
After googling around, I noticed that this can happen if my "Application", on Google Cloud, is still in the Testing phase. First question about this statement:
What does it mean when Google refers, on the OAuth screen, as an Application in Testing phase? My application is already online on shinyapps.io, it's already functioning, and when I create a new token it can also send emails correctly (for a while).
In addition, on the Google's OAuth consent screen, I now have the possibility to "publish" such application. If I do that, the status changes as In production, and this message is displayed. Other questions:
What does it mean that the application will be available to everyone with a Google account? My application deployed on shinyapps.io doesn't require any login or any other data from the users, then what is this app they're talking about?
What will happen to users that try to connect to my application?
Are my credentials, as for example the JSON file, safe?
I know that there might be a lot of confusion in this post, but I am relly not an expert in this field, and so I am worried to make some mistakes.
Thanks a lot for your help!
The GMail API, OAuth and all, is typically meant to allow your app to send email on behalf of any user. It seems your use-case is a little different - you only ever need to connect one user: your own.
What does it mean when Google refers, on the OAuth screen, as an **Application in Testing phase? My application is already online on shinyapps.io, it's already functioning, and when I create a new token it can also send emails correctly (for a while).
I think you mostly answered this yourself in your further questions. Google thinks you're building an app that any GMail user can connect to, and so for security reasons, they want to differentiate between a test app and a production app. They don't necessarily know whether or not your app is published on shinyapps.io.
What does it mean that the application will be available to everyone with a Google account? My application deployed on shinyapps.io doesn't require any login or any other data from the users, then what is this app they're talking about?
I alluded to this earlier, but the GMail API is intended for apps that allow any GMail user to connect and manipulate their own email. Imagine a third-party email client, or similar. Again - Google's wording sounds a bit odd wrt your app since it doesn't fit that bill.
What will happen to users that try to connect to my application?
If you don't explicitly host your own server that implements OAuth with Google, then nobody can even try to connect. As long as you don't leak the shared secret from your Google Cloud Platform entry, you're safe.
Are my credentials, as for example the JSON file, safe?
Probably anyone with the JSON file can send email on your behalf. Marking your app as 'in production' will not change the security implications of your JSON file.
Unfortunately, Google has pretty tight security around their APIs nowadays. If you want to mark your app as "in production" you might open up a can of worms regarding "restricted scopes" (sending email counts as restricted). However, since you're using the JSON file instead full OAuth, I'm not sure if this applies to you. To my knowledge, you should be safe to try marking your app as "in production". Worst-case scenario, you might be able to weasel around the strict verification requirements by saying your app is "internal":
Internal Use: The app is used only by people in your Google Workspace or Cloud Identity organization. Note that your app will not be subject to the unverified app screen or the 100-user cap if it's marked as Internal.
A project that we are building uses the Google cloud identity toolkit multi-tenant feature. We have two tenants that we are actively using. We interact with all of this through Firebase's authentication suite.
I've noticed that when using this the user accounts do not show up in Firestore's UI anymore. The same goes for the local emulator.
I know the user has been created because when I log in I get back the correct uid matching the user profile created in firestore that I can see in the local emulator.
I'd like to know if anyone can help me with one of the following:
Is there a way to manage the users created for a multi-tenant setup through the emulator?
Is there a way for me to use gcloud cli locally to manage the users that I have created locally?
Good news! The updated version of the emulator will show you tenants. Once you run the emulator, attempt to login as a user through a tenant, and your "auth" page will magically get a "Tenant" dropdown.
Bad news! The non-default-tenant users don't seem to persist by any export method I have discovered so far.
As for seeing those users in the firebase console, it's pretty easy, but an extra step. Under "authentication" in the firebase console, you should see a tenant dropdown.
If you open that, there will be a link "Other tenants can be managed in the Google Cloud Console". Click it, then click "users" on the left. Finally choose your tenant in the "Tenant" dropdown.
We've been seing some sudden strange behaviour of our service account in Google Cloud console these past few days. We're using this service account to authenticate our API with Firebase SDK - and without any warnings the usage of this account just drops to zero (see attached screenshot).
There are no warnings from Firebase SDK telling us that the service account is no longer valid, and in fact the service account is stated as "active" in the cloud console. From Firebase SDK logs we're actually seing the read/writes be completed, but they are not actual performed when viewing the data in Firebase console, which is why I expect the problem to be within the service account.
The temporarily solution has been to create a new service account and upload the associated key to our API. Then it starts working again without any additional actions required, but suddenly the usage drops to zero after 12hours++.
There are no alarms in Google Cloud Console and billing is activated with status OK.
Since the Firebase logs tells us "everything is OK", and Google Cloud console does not show any warnings, I don't understand where the problem might be. Anyone experienced something similar, and could point me in the right direction? Any help is much appreciated!
Metric graph of service account usage
I received an e-mail from firebase-noreply #google.com to the tune of:
[Firebase] Your unused Realtime Database ‘my secret’ will be deactivated in 14 day(s)
We've detected the following issue(s) with your security rules:
any logged-in user can read your entire database
any logged-in user can write to your entire database
I have an app on my Raspberry Pi which is available by web, that will send a firebase message to my mobile phone. It will enable a user (any friend of mine that I chose to tell the url to) to track my position. The webpage on my Rpi contains the API key.
Following this e-mail, should I still expect my app to work?
It's a while since I wrote the app but I do find it occasionally useful. The link that firebase sent me to edit my security settings doesn't work. I think I only had an entry in the firebase realtime database to enable me to get an API key. Please forgive me if I am asking a daft question but it has been years since I worked on this.
firebaser here
The email is specific to the Firebase Realtime Database of your project, and won't affect Firebase Cloud Messaging in any way. If calls to FCM succeed before the database is disabled, they will continue to succeed after the database is disabled.
Of course, if your app needs to interact with the database to do its work, that will stop to function when the database is disabled.
Sometimes when I load my app, I just can't seem to connect to Realtime Database using REST APIs. This is only a problem I have been having very recently; it mostly always works but sometimes, randomly, just cannot resolve the destination host.
During one of these times, I have tried using my browser to go to the Firebase Realtime Database page manually: https://project-id.firebaseio.com/
This page should redirect me to my project console. Instead, it just returned a 404.
So I think the problem has nothing to do with my code but it is something Firebase Server-side... what could be the problem?