I am currently using Firebase in iOS app with flutter framework.
The default Google Cloud API key created by firebase has unrestricted access to APIs, so I want to restrict it to certain APIs that my app uses for security reasons.
However, after making API restrictions, almost all firebase related components work fine, but the app does not seem to be able to get Firebase Cloud Messaging Token (e.g. FirebaseMessaging.getToken() call fails). The app suppose to retrieve this token and send it to the backend server such that the server can send FCM messages, but when this call is made, it just hangs for a while and returns null.
When my app key has unrestricted access to APIs, it retrieves FCM token fine, but as soon as I restrict it, it fails to retrieve the token.
I currently have whitelisted following APIs for the Firebase iOS App Key.
Identity Toolkit API
Token Service API
Firebase Remote Config API
Firebase Dynamic Links API
FCM Registration API
Firebase Cloud Messaging API
I have gone through other API list and they do not seem to be related to Firebase Cloud Messaging at all, so I did not select anything else, so I am stuck. Has anyone else encountered this problem when they tried to restrict Firebase API key?
(I am attaching the full API permission list below.)
App Engine Admin API
BigQuery API
BigQuery Storage API
Cloud Build API
Cloud Datastore API
Cloud Debugger API
Cloud Deployment Manager V2 API
Cloud DNS API
Cloud Firestore API
Cloud Functions API
Cloud Logging API
Cloud Messaging
Cloud Monitoring API
Cloud OS Login API
Cloud Pub/Sub API
Cloud Resource Manager API
Cloud Run API
Cloud Runtime Configuration API
Cloud Scheduler API
Cloud Source Repositories API
Cloud SQL
Cloud SQL Admin API
Cloud Storage
Cloud Tasks API
Cloud Testing API
Cloud Trace API
Compute Engine API
Container Registry API
FCM Registration API
Firebase App Distribution API
Firebase Cloud Messaging API
Firebase Dynamic Links API
Firebase Extensions API
Firebase Hosting API
Firebase Installations API
Firebase Management API
Firebase Mods API
Firebase Remote Config API
Firebase Rules API
Google Cloud APIs
Google Cloud Storage JSON API
Google Play Android Developer API
IAM Service Account Credentials API
Identity and Access Management (IAM) API
Identity Toolkit API
Kubernetes Engine API
Legacy Cloud Source Repositories API
Maps Embed API
Maps JavaScript API
Maps SDK for Android
Maps SDK for iOS
Maps Static API
Mobile Crash Reporting API
Service Management API
Service Usage API
Stackdriver API
Street View Publish API
Street View Static API
Token Service API
You have to additionally white-list the Firebase Installations API.
Details can be found here:
https://github.com/firebase/firebase-android-sdk/blob/master/firebase-installations/API_KEY_RESTRICTIONS.md
Related
Till now I was using service account to connect to my Firestore database (Firebase is not enabled) from within Google products like Cloud Functions or Colab.
Now I need to connect to Firestore from html page opened in my browser. Is it possible without enabling Firebase?
Yes, the Google Cloud Firestore NodeJS SDK is meant to be used on server side only. You can use Firebase Web SDK along with Firebase Authentication and Firebase Security Rules to support serverless app architectures where clients connect directly to your Firestore database.
You don't necessarily have to use Firebase Auth. However, it might be a good idea to restrict access and allow only public content to be accessible without authentication.
You can follow the quickstart in the documentation to setup the client SDK.
Are all of the Firebase services for Android unable to work on Huawei or is it just the cloud messaging service that does not work? Do all of the firebase services rely on Google Play Services?
Firebase SDKs can be divided into three categories:
Play services required — These SDKs require Google Play services, otherwise they have no functionality.
Play services recommended — These SDKs require Google Play services to have full functionality, but they still offer most functionality even without Google Play services.
Play services not required — These SDKS do not require Google Play services to have full functionality.
List of Firebase SDKs that don't require Google Play services
List of Firebase SDKs that you need to include Google Play services
Remote Config SDK com.google.firebase:firebase-config:20.0.0 doesn't require Google Play Services.
Realtime Database SDK com.google.firebase:firebase-database:19.5.1 doesn't require Google Play Services.
But keep in mind that Realtime Database depends on Firebase Auth (it needs an authenticated user to work) which depends on Google Play Services. For that you can use Firebase Auth REST API instead of Firebase Auth SDK.
For more info Use Firebase Authentication without Google Play services
Update 27 Oct 2020:
Firebase Auth SDK v20.0.0 com.google.firebase:firebase-auth:20.0.0 doesn't require Google Play Service.
Official Dependencies of Firebase Android SDKs on Google Play services
The following Firebase products depend on Firebase Authentication.
Firebase Realtime Database
Cloud Firestore
Cloud Functions
Cloud Storage
You just need to replace Firebase Authentication with Firebase Auth REST SDK. Using this SDK, you don't need to change your existing Firebase Realtime Database code. It will start working on Huawei devices and also GMS devices as well.
Docs: Firebase Auth REST SDK - How to use Firebase Authentication on HMS phones
Firebase official stance is that all Firebase services require Google Play Services to work. Yes, some Firebase services actually work without GPS currently, however this can change at any time without prior notice.
Firebase services will not work on the new Huawei Phones.
For Huawei devices you can take a look to HMS and App Gallery Connect Services
Remote config: https://developer.huawei.com/consumer/en/doc/development/AppGallery-connect-Guides/agc-remoteconfig-introduction
Cloud DB: https://developer.huawei.com/consumer/en/doc/development/AppGallery-connect-Guides/clouddb-apply
Push Notifications: https://developer.huawei.com/consumer/en/doc/development/HMS-Guides/push-introduction
To make your app compatible with all devices, you can use the G+H solution:
https://forums.developer.huawei.com/forumPortal/en/topicview?tid=0201200435859940059&fid=0101187876626530001
We have deployed a flask api running Google Cloud Run and have a RESTful HTTP endpoint. We intend this to be called by our iOS app which integrates with firebase (we want writes to go through a REST request instead directly to collection, for business logic).
Is there way that we can make it secure/leverage gcloud authentication capabilities?
I have a node.js client that uses firebase authentication. Now I want to access Google Cloud Storage, however the firebase SDK for node.js does not include GCS. Using #google-cloud/storage works but only with anonymous access. How do I apply the firebase credential to #google-cloud/storage so that GCS access is in the context of the logged-in user?
Node.js is a server that operates in a privileged environment. The Firebase Admin SDK (aka the Node SDK) talks to other services via a service account.
Firebase Authentication enables client-side authentication. The JavaScript SDK is the client-side SDK.
There is no Node.js client SDK for Firebase that accesses Cloud Storage. Since both the Firebase Admin SDK and the Google Cloud Platform client for Node.js use administrative privileges to access Cloud Storage, it looks like those won't be an option for you either.
The two options I can think of are:
Use the Admin SDK in a Cloud Function, and expose the files from Cloud Storage that way.
Use the REST API for Cloud Storage.
I admit that neither is trivial, so I hope somebody knows a better solution.
I am trying to establish service-service authentication between Cloud Functions and Cloud Endpoints.
I am trying to send a HTTP request inside a Firebase Cloud Function to my API running on Google App Engine and managed by Google Cloud Endpoints.
As stated in google docs, the service account that Firebase Cloud Functions uses is ____#cloudservices.gserviceaccount.com
I added that issuer in the security definition of my openAPI config(cloud endpoints). However, I could not find a way to create an access token in Cloud Functions of that service account.
How can I generate an access token in Cloud Functions to authenticate itself to Cloud Endpoints? How am I supposed to sign the JWT on cloud functions to request an access token?
Use Application Default Credentials.