Some Background
We have an app which requires users registration
When a user registers, we send a confirmation email
The email contains a Firebase Dynamic Link to a web page and is caught by the app if it's installed
Since the final link contains a unique confirmation token, we generate a dynamic link each time using the Firebase dynamic link REST API
The generated dynamic link is something like this: https://{domain}.app.goo.gl/{randomChars}
The final link points to our domain, which is using HTTPS
The Problem
When I try to open that link in Gmail (both desktop and android), a pop-up appears that says:
Suspicious link
This link has been flagged as suspicious. Are you sure you want to proceed to {domain}.app.goo.gl?
Notes
It's weird that the top-level domain is from Google, and it's flagged as suspicious
The email contains other links, e.g. to the home page, youtube, instagram and facebook, and those open without any issue (all of them are HTTPS)
We're using Rackspace/Mailgun to send emails
Any insights will be really useful.
Edit:
I checked both domains ({domain}.app.goo.gl and ours) in MX Toolbox and no blacklist was found.
Dynamic links now use page.link instead of app.goo.gl. The latter url has been deprecated.
See https://firebase.google.com/docs/dynamic-links/create-manually
Related
I have no experience with this and I'm in need of major help. I have a word press website that I am trying to connect a gmail account to. So that the contact form gets sent to a gmail address. I got it all set up and it is telling me I need verification. This is only being used for my word press website. Probably very few users, not a business. Can I get around the verification process or not?
You would need an OAuth Consent Screen for your Project.
You can refer to this blog post on how you can connect a Gmail account on your Wordpress site
I have implemented the reset password link for my app (using exactly the same firebase code provided at https://firebase.google.com/docs/auth/web/manage-users). It works well when I tried it using a gmail account that I have registered previously on the app (I received the reset password link on gmail and able to change for a new password). However, when I tried it with other email domains (like professional work or school domains e.g #mycompany.com or #school.edu), it does not seem to receive the email (not in junk/spam too). It is very weird because I do receive the 'email verification' link (from firebase) using other domains when I registered using the app but not when I tried to reset the password? Any ideas on how to approach this problem?
As an FYI, currently in Jan 2023, Microsoft 365 business blocks these emails from ever reaching the target mailbox, even if you change the SMTP settings in firebase.
They still appear in your own SMTP sent section, they just never get delivered by MS
Open firebase console goto Authentication then click on Templates > Password Reset then copy given email address (it seems like, 'noreply#YOUR-PROJECT-NAME.firebaseapp.com') then open your Gmail account and paste that email id in search section the tap on 'view message > move to not spam'
This will surly help you
Thanks
Meet Patel
If the code is the same and you don't get an error message, it is extremely likely that the email gets blocked somewhere along to the way to the target mailbox. You'd have to reach out to the system administrator and see if they can find the message somewhere in their spam filters, and ask them to modify the configuration of those to no longer block these messages.
As ganey stated, the problem is that certain email filters such as MS 365 do not accept mails that contain links that are not in pair with the sender domain.
The solution is to add a customized action url that points to the same domain as your sender domain.
Then you need to redirect from that url to the url generated by firebase.
Note:
If you do this in react or another SPA, don't forget to append the query params.
So, I have a web application where users can register and when they do, a confirmation email is sent to their inbox to confirm their email. This email that is sent contains a link that takes you to the log in page, and we use firebase to convert that link into a short dynamic link, example: https://xm5z5.app.goo.gl/wiRt.
However, when this link is clicked, the user gets a "suspicious link" warning from google and I can't seem to understand why this happens. I've read that a few other people with web apps have the same issue with google flagging one of their links as suspicious. Why could this be and how can this be solved?
I am using a Wordppress plugin, WP Embed Facebook, to display a "live" photo feed from an album on a Facebook page/account I have control over. It used to work fine, displaying thumbnails in one of my footer widgets that when clicked opened in a lightbox. Lately, instead of said thumbnails, the following message is disalyed:
Error: (#10) To use ‘Page Public Content Access’, your use of this
endpoint must be reviewed and approved by Facebook. To submit this
‘Page Public Content Access’ feature for review please read our
documentation on reviewable features:
https://developers.facebook.com/docs/apps/review. (only visible to
admins)
(see far right footer widget at http://www.sugaroafculinary.com)
In following the link in the error message, it would seem that my "app" (i.e. the web page using the plugin) needs to undergo a review/approval process from Facebook, which seems to me to be quite the excessive set of hoops to jump through just to access content on my own page, but I digress...
If I'm reading the documentation correctly, they require access to the "app" in test mode so that they can see it in acton. In an attempt to meet this requirement, I:
logged into my FB app dashboard where the plugin required me to create an app in order to get an App ID and an App Secret anyway. No big deal.
Created a 'test app' from that from that app and configured the plugin to use the test app's App ID and App Secret
The long and the short of my current issue is that, I get the same error message with the test app as with the original. I was under the impression that being a test app, access to the endpoint would be allowed. Not so much. I don't know how I can provide Facebook access to my working test app if it produces the same error as the production version.
I'm sure i'll run into more snags with the remaining hoops I'm jumping through, but for now if anyone had any advice for how I can get the test app access to that endpoint so it can be viewed in a working state for FB review, I'd be ecstatic.
OR there's the possibility that I've misinterpreted the requirements - if it looks like that might be the case, please do not hesitate to bring that to my attention either.
Thanks!!
UPDATE
I found the following that sounds like it might indicate that if "the person" who is the publisher of the WP page containing the plugin is the "the person" who is an admin of the app in the FB system, the endpoint is accessible.
"While you are testing your app and before you submit it for review,
your app can only access content on a Page for which the following is
true: The person who holds the admin role for the Page also holds an
admin, developer, or tester role on the app. If you want the app to be
able to access public content on other Pages, you must submit this
feature for review. Once you set your app to live mode, it will not be
able to see any Page public content without this feature."
Now what exactly does "the person" mean? I added the FB account that has the same email address as the publisher of the WP page as an admin of the app in the App Dashboard, but the results are the same. I can't think of any way (other than by email address) that Facebook would be able to figure out that a WP user is the "same person". Am I missing something here?
Submitting for Page Public Content Access would be the wrong thing to do here to begin with.
to display a "live" photo feed from an album on a Facebook page/account I have control over.
So that makes it not public access to begin with - that feature is for accessing public content of pages you don’t have admin access to.
Accessing the photos of your own page requires a page access token - and getting that in return requires the page admin to grant manage_pages permission to the app.
If the plugin is showing you an API response talking about Page Public Content Access, then it means it did not use a proper page token for the request to begin with.
Now I don’t know this plugin, and whether it is prepared to ask for that when retrieving an access token, and if so whether something else goes wrong. I would suggest you contact the plugin author for support.
But again, Page Public Content Access is not what you need here.
Lately a new error has popped up, which didn't exist before.
I have a Firebase project mapped to a custom domain.
The structure I'm using is as follows:
firebase-project.example.com is DNS-pointing to Firebase, that's the custom domain, it is tied to the Firebase project (Firebase Hosting).
But the structure I'm offering to the clients is as follows:
www.example.com/firebase-project which is hosted on my own server.
When I have Firebase generate the verification email, I present them a verification link in the email which contains this structure
https://www.example.com/firebase-project/auth/email?mode=verifyEmail&oobCode=SOME_AUTOGENERATED_CODE&apiKey=FIREBASE_API_KEY
The page rendered by https://www.example.com/firebase-project/auth/email contains an iframe, which loads the following URL
https://firebase-project.example.com/__/auth/action?mode=verifyEmail&oobCode=SOME_AUTOGENERATED_CODE&apiKey=FIREBASE_API_KEY
That should (and effectively used to!) verify the email on Firebase Hosting, and present the "ok, verified" message provided by Google inside the iframe, all neatly surrounded by the branded https://www.example.com/firebase-project/auth/email webpage.
But as of lately the iframe shows the following message:
Error encountered
The page is displayed in a cross origin iframe.
and I can't verify the email.
These cross-origin issues usually get fixed by adding the apropiate access-control-allow-origin headers. Where do I need to set the header, and to which value?
I have tried sending Access-Control-Allow-Origin: firebase-project.example.com and also Access-Control-Allow-Origin: * with the www.example.com/firebase-project/auth/email response, but that does not work.
Could a crossdomain.xml hosted somewhere help me with the issue?
If I inspect the page, and manually copy the iframe-url and paste it in the address bar, then the email will get verified.
No console messages (errors) are displayed at any time.
www.example.com as well as firebase-project.example.com are in the list of authorized domains for that project.
firebase-project.example.com ist using Firebase Hosting and
therefore has access to the /__/auth/action functionality. It is able to
verify the email address.
www.example.com is not hosted on Firebase / Google Cloud, and
therefore has no /__/auth/action functionality. It can't verify the email address without the help of firebase-project.example.com.
Sadly, the Firebase Admin SDK does not offer any support for letting the backend at www.example.com verify the email address for the given oobCode, which is why I was forced to use an iframe.
This is what the result should look like, instead of just a white page confirming the verification:
And the iframe is implemented as follows:
<iframe src="https://firebase-project.example.com/__/auth/action?mode={## mode ##}&oobCode={## oobCode ##}&apiKey={## apiKey ##}"></iframe>
The Firebase Console Email verification template looks like this
Else I see myself forced to create a redirect to firebase-project.example.com which results in this page (which actually seems to be predestined to be embedded in an iframe)
There is exactly zero security gain in preventing the embedding inside a page of an authorized domain.
Also, notice the message "You can now sign-in...". My approach shows the Sign-In link conveniently above the iframe. Without it, the user must now type "www.example.com/firebase-project" into the address bar. It makes so much more sense with an iframe; a more efficient and user-friendly approach.