I have an API key specifically for Firebase and I have it restricted like so:
However, when I connect to Firebase from a different website (on front-end side) it still works.
I've tried connecting Google Maps and it doesn't work (because of the wrong referrer) but Firebase works.
How can I restrict Firebase access to specific web domains?
Note: I'm not using Firebase Auth, I'm only using Firestore as a database.
Double check if your domain accepts HTTP and HTTPS because both require separate restrictions. Also, try adding restriction that includes a wildcard path.
Here's an example:
https://www.test-domain.com
https://www.test-domain.com/*
http://www.test-domain.com
http://www.test-domain.com/*
Reference: https://cloud.google.com/docs/authentication/api-keys#adding_http_restrictions
Related
I'm new to Firebase, and I'm not sure I'm going about what I'm trying to do the right way, but my question is essentially the title. For an app, I'd like to restrict my functions in Firebase to only be available on a custom hostname I've configured. I'm not sure if there is an easy enough way to do this without creating separate Firebase projects?
My main goal is to setup the functions to respond on a url like api.myapp.com while hooking into authentication that can have callback emails that are sent from myapp.com. I've done some digging and can't seem to find much on how to go about this. Thanks in advance!
The documentation says
The steps required to set up API Gateway to manage and secure a Cloud
Functions backend service are outlined in the API Gateway Quickstarts.
Documentation also says
API Gateway uses Identity and Access Management (IAM) to control
access to your API.
IAM is very granular and would allow you to specify domain names for allow action.
I'm using google storage public bucket for serving binary resources on the web right now.
As the docs mentioned
https://cloud.google.com/storage/docs/cross-origin
The authenticated browser download endpoint storage.cloud.google.com does not allow CORS requests. Note that the Google Cloud console provides this endpoint for each object's public URL link.
So in order to allow CORS, I need to put my proxy server in front.
I'm not sure there is a way I don't know to enable me to fetch resources directly from Cloud Storage with CORS but without having a relay server.
It looks like you're trying to use the URLs for objects that you're getting from the console. Those URLs use the domain storage.cloud.google.com. Because that domain allows callers to use their Google account cookies for authentication, its capabilities are intentionally kept very limited, and one such limitation is blocking cross-origin requests.
Instead, configure CORS using the standard Cloud Storage tools, then link your users to a URL like https://storage.googleapis.com/bucket_name/object_name, which will work fine with CORS. That will only work for publicly readable objects, but that sounds like what you've got.
I am using firebase admin sdk on the server to generate sign in links and send them out via custom SMTP api.
I just glanced at https://firebase.google.com/docs/auth/limits and I am well within these, but I believe there is nothing stopping a malicious third party from creating/requesting sign-in links via front end code. Is there a possibility to disable this functionality so it is only available to admin acc?
Additionally, I'd like some emails (i.e. multi factor enrolment) to not be possible, but again, given that someone can obtain some of my firebase front end details, they technically can send these?
You can restrict the API key from accessing an API (e.g. Identity Toolkit) but not disable a single method of the API for client.Sign up and delete user can be (that requires upgrading to Identity Platform) .
Firebase generates an API key when you add a web app. You can either update that or create a new key from API Credentials console.
You can then restrict what the API key in Firebase web config has access to:
However, Firebase Auth Client SDK will not work as Identity Toolkit is not selected. You'll have to proxy the requests through your backend and use a different key that can be used from your server's IP only.
Firebase Admin SDK will still be functional as usual so you can use that to perform other operations like updating/deleting users. You'll just have to write APIs on your backend for what could have been done using client SDK directly (or use Admin SDK when possible).
It might be a lot to update and I would not recommend unless you are facing rate limiting issues where Firebase Support should be able to help.
I just got a mail from the Firebase support that my current API key restrictions for the Firebase API key lead to malfunctions for the Firebase Installation API. Since, I have a web application and not an iOS or an Android app, I´m assuming that this is not a real issue for me at the moment.
However, this got me wondering if I enabled all necessary HTTP referrers (websites) in the Google Cloud Platform to ensure a working environment for my web application. Let´s say my domain is called www.domain.com and my Firebase project is called projectx. I currently have these two entries in the HTTP referrers for the Application restrictions:
www.domain.com/*
projectx.firebaseapp.com/*
Is there anything else I should enable? Because I saw that Firebase also enables multiple domains such as projectx.web.app by default.
It's fairly simple: you need to enable the domains that your app uses.
The two domains you have are the defaults for cases where you have a common domain:
www.yourdomain.com/* is the custom domain that you typically share out with people.
projectx.firebaseapp.com is the default domain generated by Firebase, and is typically also used in sign-in screens (although you can change this).
You may also want to add:
projectx.web.app, which is a newer default domain that Firebase creates. But this is not required, so only add it if you expect to hand it out to folks.
localhost, which is handy for local testing
I found one solution to upload the file to firebase storage without any authentication using this link How to upload objects to Firebase Storage using Postman for testing?
The above-mentioned case works only when my firebase storage looks like this, (Without any security restriction)
allow read, write;
But, Now I want to achieve this with some security restrictions.
Is there any way to upload the files to firebase storage by POST URL (Postman) with some security restriction.
I tried to achieve this by
https://firebasestorage.googleapis.com/v0/b/projectName.bucketName.com/o?uploadType=media&name=picture2&auth=uid
But it shows 403 - forbidden error.
There is no public REST API for uploading file to Cloud Storage for Firebase. The end point you're trying to reach is meant for use by the Firebase SDK only, and is neither documented, nor supported for use beyond that.
That said, you may be able to mint a token using the Firebase Authentication REST API, and pass that along to the request you have. But as said, it won't be supported and may change without warning.
The most common approach for REST uploads is through the Google Cloud Storage API, around which the Firebase APIs are a friendly wrapper. But these APIs are meant for access from trusted code, so wouldn't be using the Firebase Authentication UID of your users. The best I can think of is to write a Cloud Function that handles the user authentication and authorization, and then use the Google Cloud Storage Node.js or REST API to upload the file.
I use this endpoint on my project
https://firebasestorage.googleapis.com/v0/b/YOUR_BUCKET/o?uploadType=media&name=YOUR_FILE_PATH_AND_NAME
and add headers on your post
headers.Add("Authorization", "Bearer " + FirebaseAuthIDToken);
headers.Add("Content-Type", "application/octet-stream");