I just deleted my flutter app from firebase console , but it is still working and changing data in the realtime database.
Can anyone tell me how its still connected with the firebase?
Thanks
According to Firebase documentation, when you delete an app:
Corresponding API keys or OAuth clients are NOT deleted. You can clean
up the API keys or OAuth clients in the Google APIs console
credentials page. Deleting these resources will break installed
applications: your users will no longer be able to authenticate or
sign in.
Access to the realtime database is not limited to apps that are registered in the Firebase console. Any code that has the proper configuration for your database, can try to access that database. If you want to be more selective in who can access the database, you will need to do this with Firebase's server-side security rules, typically in combination with Firebase Authentication.
Related
I was wondering how to to secure firebase auth. I plan on using firebase JUST for user authentication (not using firestore or realtime db). Since the API key is exposed on the client, my fear is that a malicious user can find the key and start using it inappropriately. So far I've done the following to try to improve security:
Limit key use to a specific domain
Restrict the key to only be able to use "Identity Toolkit API"
Is there anything else I should do here?
My application should be the only one able to use my credentials to access the Firebase API.
For any app where you access a cloud based API directly from within the client-side application code, that is going to be a myth. The closest you can get within Firebase these days is with App Check, but that isn't available for Authentication calls at the moment.
Part of the reason for this is that the authentication API is quite well protected on its own already, and most abuse will actually not affect you as a developer very much. E.g. (ignoring phone auth) there is no charge for account creation, sign in, and any other operations.
I highly recommend checking:
Is it safe to expose Firebase apiKey to the public?
The documentation on API keys in Firebase.
The documentation on Firebase's security rules, which is how you can protect the Firestore and Realtime databases, and files in Cloud Storage.
The documentation on Firebase App Check, which reduces abuse for Realtime Database, Cloud Storage, Cloud Functions, and Firestore at the moment.
More of these previous questions on allowing only you app to access Firebase
Basically I am building a social media type app. I want to manage the auth using firebase firestore (as It is easier) and the contents posted by the user in any other SQL database. Like, if the user uploads a image it will be stored in my own database. Is it possible to link firebase with my own database? If yes, then how?
Firebase Authentication isn't related in any way to Cloud Firestore. You can authenticate your users with Firebase and save the data in any database you want, even in an SQL database. However, Cloud Firestore has some benefits. So I recommend you check the official docs.
Yes, you can use Firebase for auth only and link it to your own database.
You'll have to use the Firebase Admin SDK in your backend. Check out the set up guide.
I received an e-mail from firebase-noreply #google.com to the tune of:
[Firebase] Your unused Realtime Database ‘my secret’ will be deactivated in 14 day(s)
We've detected the following issue(s) with your security rules:
any logged-in user can read your entire database
any logged-in user can write to your entire database
I have an app on my Raspberry Pi which is available by web, that will send a firebase message to my mobile phone. It will enable a user (any friend of mine that I chose to tell the url to) to track my position. The webpage on my Rpi contains the API key.
Following this e-mail, should I still expect my app to work?
It's a while since I wrote the app but I do find it occasionally useful. The link that firebase sent me to edit my security settings doesn't work. I think I only had an entry in the firebase realtime database to enable me to get an API key. Please forgive me if I am asking a daft question but it has been years since I worked on this.
firebaser here
The email is specific to the Firebase Realtime Database of your project, and won't affect Firebase Cloud Messaging in any way. If calls to FCM succeed before the database is disabled, they will continue to succeed after the database is disabled.
Of course, if your app needs to interact with the database to do its work, that will stop to function when the database is disabled.
I can't figure it out which role/s do I need to have on one of my client's Google Cloud Platform, to do the following:
- Connect and Manage a Firestore database to their Firebase app.
- Use the Google Cloud Firestore API from an external app.
There are so many roles... Any help? :)
I have already Firebase Analytics Admin but when I tried to access the Firestore through Firebase I get the message "To manage Cloud Firestore, ask a project owner for the necessary permissions".
Thanks!
According to the Firebase product-category predefined roles documentation, the only role that has full read/write access to Cloud Firestore is:
Firebase Develop Admin - roles/firebase.developAdmin
Regarding the access to the API, the app will be able to access it using either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token as per referenced on this documentation.
In order to set up Firebase Auth, this link might be of help and for OAuth check this link.
I have created/forked a lil Google Apps Script Library to manage Firebase Firestore and Firebase Remote Config called FirebaseGoogleAppsScript. The goal is to simply manage the contents of your collections in an apps script as well as update your remote config.
My issue is I can't get the a service account to do both.
Firebase creates two service accounts upon creating a project:
The first is listed in the Firebase Console -> Project Settings -> Service Accounts. This one I use within my cloud functions to retrieve the Remote Config just fine. However in the Apps Script Project it is unable to retrieve any data from firestore. I tried adding all kinds of roles including Owner and Editor yet no firestore data, but I still can get the RemoteConfig.
The second is only visible in the GCP service accounts and has the title: Firebase Admin SDK Service Agent with the roles Firebase Admin SDK Administrator Service Agent and Service Account Token Creator. This one is able to retrieve all the data from firestore within an Apps Script Project. However in the apps script project I can't get it to retrieve the RemoteConfig even if I add the role Firebase Remote Config Admin.
I have also made my own service account which was able to get the Remote config and just about everything else from Firebase except the Firestore data. Seems only the one service account created by Firebase is able to get any data.
To recreate the issue simply deploy my lil FirebaseGoogleAppsScript project and associate it to the same GCP project Firebase is connected to. There is a test file in it which can recreate the issue assuming you have some data in RemoteConfig and a collection called posts with some docs.
What the heck is going on here? Why can't I make a service account who can access Firestore and RemoteConfig? Any ideas on what to do to create a proper role to do both? Do I really have to use two separate service accounts?