I have seen mentioned that there is actually a 1000 app hard limit to Firebase projects as it is the OAuth 2.0 Client IDs that have a limit of 30 and that these can be deleted if not needed.
I have removed the OAuth Client ID for my app from here https://console.developers.google.com/apis/credentials
My app is a hybrid app (Ionic) and uses firebase auth with email/password via the web app not native one so it appears to work fine.
I am assuming this means I am home free and can add up to 1000 apps if I manually delete the OAuth 2.0 Client ID each time?
I am looking at adding Google and Facebook sign-in on the hybrid mobile apps using a native implementation (just for the google/fb auth) soon would this be something that I would need the native app OAuth 2.0 Client IDs for? Is this just used for Google Auth?
If so I guess this would restrict me back to 30 apps but I could use the web Google Auth (although the UX is not as good).
I will also be using Firebase Cloud messaging if that is related at all.
I am not familiar with OAuth 2.0 Client IDs so any help is appreciated as I don't want to go down this route but find a problem later on once my product has gone to market.
Note: I have read the recommendations from Firebase that each tenant / customer / label should have its own project. This is not how I want to implement my platform as the data is shared between tenants as users can belong to multiple tenants. Plus making a project per tenant seems crazy if I have up to 1000 tenants.
Some of the tenants but not all will have their own branded app. Same app with different branding and in different app store accounts.
https://firebase.google.com/docs/projects/learn-more#multi-tenancy
It appears the limit for apps has now been reduced to 30.
https://firebase.google.com/support/faq/#apps-per-project
If you need more than 30, the above FAQ entry states:
In the rare case your project requires more than 30 apps, you can request an app limit increase. Your project must be on the Blaze billing plan to make this request. Visit the Google Cloud Console to make your request and have it evaluated.
Related
I have a Node.js API (built with Express.js) hosted on Firebase Cloud Functions and an accompanying web application hosted on Firebase Hosting which is supposed to interact with the aforementioned API.
I would like to restrict calls to the API so that only the web application would be able to call the cloud functions. How can I achieve that?
What I have tried:
using the App Check or more precisely Google's reCAPTCHA v3 for web apps. I have whitelisted the domain of the web application and have activated App Check token validation server side as well. The problem with App Check, however, is that I am able to obtain the reCAPTCHA attestation token from the browser (after authenticating through the web app) and use that with requests made from anywhere. This enables bombarding the API from outside the web application and defeats the purpose of using App Check in the first place.
Something to note here, the documentation for activating App Check in Cloud Functions instructs the usage of functions.https.onCall(). However, since my API is built using Express.js, I had to use a workaround to be able to use functions.https.onRequest() as instructed here.
restricting the Cloud Function from Google Cloud console to allow only clients of the same project to call the function as instructed here. Unfortunately, my web application hosted on Firebase Hosting does not seem to belong under the same Google Cloud project. Apps hosted on Firebase Hosting do not appear in Google Cloud console. Furthermore, after adjusting the Ingress settings of the functions to "allow internal traffic only", I am receiving CORS errors when attempting to access the API through the web application. I am unable to access the API from anywhere else though, which is partly the desired outcome.
Before anyone proposes limiting the domains in CORS options from within the API, while this might serve the purpose of restricting access to the API endpoints, it still would allow calling the function rapidly and thus, potentially, racking up the bill.
I am grateful for any suggestions!
Firebaser here.
This is a great question! Doug has already made some great points above, and I'll just add to that by saying that the TTL on App Check tokens reduce the replay window that you observed in your first bullet point, and this TTL is configurable.
The default TTL for reCAPTCHA v3 is 1 day to protect against running out of quota, but you can set a shorter TTL to increase the cost for an attacker trying to set up a replay attack. But please do be mindful of the associated trade-offs as described in the documentation. You can read about the associated quotas and limits here.
Unfortunately, web applications redirected from Firebase Hosting can't hook up to the GCP internal network. App Check is actually exactly what you are looking for in this situation.
Finally, because we are continuously working on improving the App Check platform, the comments you leave here are valuable for us as we decide on what anti-abuse features we want to work on next.
If I have multiple apps with Firebase (different types and kinds) but want to be able to have 1 user base for all of them (1 account for all apps, even if they only use 1) how would I do this? I was thinking either 1. cloud function (every time someone signs up, add them as a user in the other apps) or 2. A separate project for Auth only and configure both of them in the app, but that might mean requests to firestore, storage, and functions aren’t authorized. NOTE: I'm willing to use GCP products separate from firebase to accomplish this.
If the apps are all part of the same suite, you can add them to a single Firebase project. This is by far the easiest way to do this, but there is a hard limit on how many apps you can have in a project in this way (according to the FAQ, this is 30 at the moment).
If the apps are not all part of the same suite, or you need more than the limit, your only option is to use custom authentication. This means you'll create a custom authentication provider that takes the user's credentials, verifies them, and then creates a UID and token for that user to the client which then uses it to sign in to Firebase.
In the back-end you could possible use a single Firebase project for then generating all these users, although I'll admit it's been a few years since I did that.
I received an alarming email from Google a couple of days ago stating that:
[Action Required] Firebase services for your application are malfunctioning due to Application restrictions
I have a Vue based website that uses Firebase for Authorization of users and storing files they are uploading. When I configured the API key that I set up, I restricted this key on the application level, to only work from the address of my website.
I did not impose any API restrictions - Under API Restrictions the radio button with Don't Restrict Key is marked
Having said that, when I try to use my website, I get the following error:
[403] Requests from referer [WEBSITE] are blocked.
The email I got from Google stated that:
Firebase SDK updates on February 27, 2020 (Android) and January 14, 2020 (iOS) replaced the Firebase Instance ID service with a dependency on the Firebase Installations API.
As a result, Firebase services like Firebase Cloud Messaging will malfunction for users who installed your app after it was released with updated Firebase SDKs. Additionally, repeated failing requests to Firebase may slow down the end-user experience of your app.
Application restrictions you have applied to the API key used by your Firebase application need to be updated to allow your application to use the API key.
Inside this mail, there were the following instructions:
Open the Google Cloud Platform Console.
Choose the project you use for your application(s). Open APIs &
Services and select Credentials.
Click Edit API key for the API key in question.
Scroll down to the Application restrictions section.
Change the radio button to None, and click Save, or add your
application to the list of allowed Android apps, iOS apps, or HTTP
referrers, respectively.
If the radio button already shows None you may be looking at the
wrong API key.
You can check which API key is used for the Firebase Installations
API by looking at the service usage page for your project.
Since I do not have any API restrictions and there is also no other API key that I have, I don't understand how to solve this situation.
One option that works is having no application restrictions, but I don't think that is the correct solution.
I also tried changing the API Restrictions to allow only the services from Firebase that I am using, but that did not fix the problem.
Any help or direction to a solution, will be appreciated.
It is possible to use Google Identity Platform and Firebase Auth concurrently in the same project without upgrading my email/password users in Firebase Auth to Google Identity Platform and having to pay for those users?
Attempting to use Google Identity Platform seems to force me to move all my users in Firebase Auth over to it.
As far as I know it is indeed not possible to use Google Cloud's Identity Platform and Firebase Authentication on a single project. You'll have to pick one, and use that for the entire project.
The only alternative I can think of is setting up separate projects for each, and accessing the specific project for the type of user. But in that scenario you'll have to deal with data migration and probably more nasty situations.
Update: since June 2022 the upgrade to Identity Platform is available directly within Firebase. While this optional upgrade does switch you to a different pricing plan which is no longer unlimited, it comes with a generous free tier of 50,000 MAU (monthly active users).
For more on this see the announcement blog post MFA, Blocking functions, and more come to Firebase Authentication and the documentation section on Firebase Authentication with Identity Platform.
I am currently working on a big software project that makes use of Firebase services. Especially Firebase Cloud Firestore, Firebase Storage, and Firebase Auth is used.
Multiple teams in one project
Teams can create their instance of the app to use the features of the app. From a technical standpoint, it is important to know that everything happens through one single Firebase project. Teams are not separated into multiple projects. From a feature standpoint, this is mandatory.
The authentication process
Admins of a team can manage the experience for the users of their team. They should also be able to modify the login methods and e.g. set up individual data to their Microsoft Azure AD account or Google Enterprise account. After a successful setup users of the team should be able to sign in with the prepared auth method by their team admin.
Possible approach
All available auth methods are enabled, set up, and ready to use (E-Mail, Google, Twitter, Microsoft, etc.). When a user opens the app and wants to sign in, the app checks which auth methods are enabled by the team admin and presents the appropriate UI.
Problem: Microsoft AD
Unfortunately, the metadata and values needed for Microsoft AD are set by the team admins and are different for every team. How can this be solved?