Disable Legacy Server Key - firebase

I found that Firebase Cloud Messaging has two ways to send Push Notifications.
I am aware of how the two ways are working and I have already implemented and tested my app and server using both ways.
However, I am required to disable the "Legacy server key" way of sending messages.
I cannot find how to disable this using Firebase Console.
Is it possible to disable the Legacy way of sending Push Notifications? How?

you have to enable the firebase messaging API from the google developer console
by clicking on the three dots and clicking on the "Manage API in Google Cloud Console"
after enabling the API go back to firebase and refresh then you will get the FCM key for messaging

There is currently no way to disable or even delete the Legacy Server Key from the Firebase Console. The Legacy Server Keys automatically get generated and tied to the project after creation.
There may still be a number of users (most coming from GCM) who still use the Legacy Server Key in their apps , which I believe is the reason why it hasn't been removed yet. Other than that, there is no other use for it as far as I know.
Update:
There is a way for you to delete the currently tied Legacy Server Key in your Firebase Project, however, I would like to point out that this might cause issues if not handled properly. Only do this if you are absolutely sure that you won't be using the Legacy Server Key ever again.
Here are the steps:
Go to your Google Developers Console Page.
After sign in, select the correct project on the upper right side. If you can't find it in Recent, go to the All tab.
After selecting the correct project, click on Credentials on the panel to the left. You should then see a list of keys, one of which is named Server key (auto created by Google Service). If you check, this is the same Legacy Server Key visible in your Firebase Project.
From here, you can click on the Pencil or Trash icon.
If you click on the pencil icon, it will direct you to a page where you can choose to Re-Generate or Delete the key. Choosing to generate a new key would give you a new server key, where the change would also reflect in your Firebase Project, while also still having the option to revert to it (only within the 24 hours limit).
Choosing to delete the key would automatically generate a new one for you, but you won't be able to have the option to revert to it.

Go to https://console.cloud.google.com/apis/library/googlecloudmessaging.googleapis.com?authuser=0&project=courseflutter-15e95&hl=en
Click enable
Refresh the page

Related

Web API Key missing in firebase

I'm trying to get an API key for a live chat plugin, but I can't get the key from Firebase.
No Web API Key for this project:
Any solution? Thanks!
Go to the authentication tab and enable a sign-in method (for example email/password). This will generate the web api key.
EDIT: as fen1ksss said: It seems this has been changed just recently. You don't actually need to toggle any of the providers to make it work.
there's been another small change: the authentication tab is now inside the "Engage" tab because google likes hide and seek. once there, follow as above.
Visiting https://console.firebase.google.com/u/0/project/project-id/settings/general/ where project-id is your project's id, should show you your api key written directly under your gcp resource location as "Web Api Key"
Also if you have gotten the config object from your firebase project before, your web api key is listed under the key "apiKey"

How to disable reCaptcha in firebase phone-auth (OTP) android?

I've updated the firebase library recently and didn't change anything else.
implementation 'com.google.firebase:firebase-auth:20.0.1'
implementation 'com.google.firebase:firebase-messaging:21.0.0'
implementation 'com.google.firebase:firebase-storage:19.2.0'
implementation 'com.google.android.gms:play-services-auth:19.0.0'
but whenever a user tries to signup, a Recaptcha is showing for a few seconds and then sometimes redirects to a web browser (CustomChromeTab) after that OTP is received from firebase auth. It takes about 15-30 seconds. How to prevent the Recaptcha? However, I added the SHA1 and SHA256 in the firebase console and have not changed the code. Thanks.
Here is the screenshot of the captcha verification process:
Most of the times while implementing dependencies like:
implementation 'androidx.browser:browser:1.2.0'
the above window pops-up in the browser.
Here, is a way to resolve it successfully.
Step 1-
In the Google Cloud Console, enable the Android DeviceCheck API for your project. The default Firebase API Key will be used, and needs to be allowed to access the DeviceCheck API.
Step 2-
If you haven't yet specified your app's SHA-256 fingerprint, do so from the Settings Page of the Firebase console. Refer to Authenticating Your Client for details on how to get your app's SHA-256 fingerprint.
Hope it works!!!
For more information, you can also check Google SafetyNet API for checking Google Play Services installation in device at the time of Phone Authentication.
Also, need to perform additional steps:
Firebase Project Settings > App check > and Register firebase project in SafetyNet and Play Integrity register with default time token 1 hour.
Don't forget to go in Firebase Project Settings > App check > and Register firebase project in SafetyNet and Play Integrity register with default time token 1 hour and u will remove reCaptcha from phone auth OTP!
Try this alternative method to disable reCaptcha
mAuth = FirebaseAuth.getInstance();
// set this to remove reCaptcha web
mAuth.getFirebaseAuthSettings().setAppVerificationDisabledForTesting(true);
because I've been following Mohd Asim answer, and it doesn't work.
In order to remove the captcha verification, you have to do this in Google cloud console.
IMPORTANT (you may have done that, but for the reminder):
Add the SHA1 and SHA256 of your project (see how to get) in the firebase project setting page (See how to set).
Go to the Library page in the Google APIs Console.
In the search bar type "Android Device Verification", and select the Android Device Verification box (API). The Android Device Verification API dashboard screen appears.
If the API isn't already enabled, click Enable. Hope here your problem solves and if not then proceed further.
If the Create credentials button appears, click on it to generate an API key. Otherwise, click the All API credentials drop-down list, then select the API key that's associated with your project that has enabled the Android Device Verification API.
In the sidebar on the left, click Credentials. Copy the API key that appears.
Use this API key when you call the attest() method of the SafetyNetClient class.
For more information read this official page - https://developer.android.com/training/safetynet/attestation
go to google cloud console
Select project it should be same project in which firebase is running and make sure you have added sha-1 and sha-256 of both debug and release version and put updated google-services.json file in your app.
search android device verification
click on enable
5.done

Unknown user in my firebase user authentication (Flutter/firebase)

I developed an app to test the google login feature using flutter and google authentication. The project is a closed project and only I have access to it. But recently I saw that there was a google sign in from an unknown Email ID. How did the user login without the build of my app? Has my account been hacked? What is going on?
Anyone with knowledge of your project's API Keys can access your Firebase Project using simple CURL Commands.
This is why it's a good idea to add restriction to those API Keys
In case you haven't, go to https://console.cloud.google.com and
Select your project
Click the menu icon at the top left (hamburger icon)
Go to API & Services and then credentials
You can view the APIs for your Google Cloud Project (linked to your Firebase Project) and then set restrictions for the API keys, refresh them or restrict access to specific platforms like Android or iOS.
You can also set restrictions on which components of Firebase the API key is allowed to access. For example, if your project doesn't require the use of Cloud Firestore, you can ensure that the API Key cannot be used to make calls to the Firestore Database
All said and done, I would still recommend that you shoot a mail to the Firebase Support team at https://firebase.google.com/support/troubleshooter/contact
To anyone still wondering about this:
If you provide a native google sign in and the registered
email adresses look like this:
karolynmccorkle.91842#gmail.com
normabrock.69306#gmail.com
guillermogeorge.53163#gmail.com
kylegomez.35423#gmail.com
opalbarrett.09499#gmail.com
they are probably test accounts used to generate Google Plays Pre-Launch reports.
You can read about it in the Play Console Help here.
If your app has a sign-in screen and you want the crawler to test the
sign-in process or the content behind it, you need to provide account
credentials.
Note that you do not need to provide credentials if your
app supports "Sign-in with Google,” which enables the crawler to log
in automatically.

Manage server keys in Firebase Cloud Messaging

I've just opened a Firebase Cloud Messaging project intended for Android push messages.
The gear icon shows one server key (obfuscated here for obvious reasons):
I would like to have more than one key, so I can distribute them to servers and developers and revoke compromised keys if necessary.
How do I manage (add and delete) server keys in Firebase?
Update:
As of the moment, the way it should be done in order to generate a new Server Key, as stated in the docs:
Starting from Sept. 2016 new server key can only be created in the Firebase Console using the Cloud Messaging tab of the Settings panel. Existing projects that need to create a new server key can be imported in the Firebase console without affecting their existing configuration.
For the project migration steps, see my answer here.
For generating Server Keys, there is no way to generate one in the Firebase Console. It can be done via the Google Developers Console:
Go to your Google Developers Console
On the left-pane, click on Credentials
Under the Credentials Tab, Click on Create Credentials
Select API Key
Steps retrieved from my answer here
After you select API Key, it will directly create an API key without asking what type of key (Server, Android, Browser, iOS) it is. It will only allow you to set some Restrictions that was visible depending on which API Key you intend to generate.
By default, the key generated has No Restrictions, this makes a key vulnerable, that's why it is highly encouraged for you to add a restriction for your API key. In this case, since you are using it for FCM (Server Key is needed), you must add an IP Address restriction and only allow specific server IP addresses.
With that said, I don't know how you plan to integrate multiple server keys to a single Firebase Project though. Why not just make use of the IP Addresses restriction and remove the server IP address that are deemed compromised?
It's not possible to have multiple cloud messaging server keys per project. I'd suggest you to have multiple Firebase projects for your application development staging environments.
If needed, you can then re-generate the server key in the Google Developer Console.
On the top-left corner of the screen, verify that the correct
project is selected.
On the left-side panel, click Credentials.
Under Credentials tab, click Server key (auto created by Google
Service).
Click Regenerate key button
A confirmation box will show up asking if you'd like to replace the current key, then click Replace key button.
Note that the new key will be available immediately. The current key will be deactivated permanently in 24 hours.
After all of these steps, you can check that the cloud messaging server key of your Firebase project is now updated.
In Firebase, the Server Key is auto-generated. If you check out the Firebase project in the Google Developer Console, it will be listed as such. You can then create more Keys from there (but will not be listed in the Firebase Console, from what I can tell).
Basically, you can better manage the keys thru the Google Developer Console.
Hope this helps!
You should avoid distributing API keys for the same project. If any one of those using the API keys are found to be abusing it then the entire project will be throttled, affecting all keys for the project.
If you do want to have multiple developers send notifications to your application then have each developer create a Firebase project then have the client register with each sender ID. You will still have the ability to rotate the API key for each developer, or have the client delete the token for a developer that you no longer want to receive messages from. This way any abuse from one developer does not negatively affect the project as a whole.

Firebase messaging, where to get Server Key?

Firebase allows us to send notification messages via our own application by making POST request.
This tutorial, gives to us instructions how to make this request. However, there is Authorization field in header where I must to place my own Server key.
Where I can get this Server key? There are no instructions for this.
Solution:
Click the Settings (Cog wheel) icon next to your project name at the top of the new Firebase Console, as per screenshot below:
Click Project settings.
Click on the Cloud Messaging tab.
The key is right under Server Key.
Updated UI June 2022
I was able to get the Server key by doing the following steps:
Click on the "..." next to "Cloud Messaging API (Legacy)"
Click "Enable Cloud Messaging Api (Legacy)"
Go back to the previous page and refresh and you should now see the Server Key
Not sure if we need to do something different moving forward now that it's considered legacy....
Steps with images: https://documentation.onesignal.com/docs/generate-a-google-server-api-key
Take this one: (First answer is right - this one is just to show how the page looks like!)
https://support.clevertap.com/docs/android/find-your-fcm-sender-id-and-fcm-server-api-key.html#
July 2022
Click on the "..." (Positioned vertically) next to "Cloud Messaging API (Legacy) (DISABLED)" on your Firebase project settings.
Click on the pop-up menu listing. *It should say something like "Manage API in Google Cloud Console"
OnClick it will redirect to your google cloud console page, over there you should see an option to enable the Cloud Messaging API. Enable it and go back to your Firebase project settings and wallah, its there!
UPDATE: As of April 2017 this method does not work. The api_key in google-services.json is only the legacy key. The selected answer is correct.
Deprecated way:
In your project there is a JSON file called google-services.json
Open that file and search for
"api_key": [
{
"current_key": "********"
}
those *** are your server api key
If you dont have that file then you can download it from your app details in firebase account
There are two keys on firebase, the first one is in Settings (Tab General)
and its call Web API Key.
The second one and in what you are interesting for is in Settings (Tab Cloud Messaging) its called Server key
Use the second one for push notifications from php.
Updated UI 2022
Here are Steps to get serverKey
GO to firebase console
You can get view like this. if you have Created Project select project else Create new Project by click on Add project.
Now you are in Project overview panel.
In Project overview panel in left upper corner click on settings button and go to Project Settings --> Cloud Messaging
That's it. in Project credentials Key and token are mentioned. Copy code and paste it. You are good to go
In my case, I did an integration with a 3rd party system and they asked for the "server key" json file.
They what I get it from firebase was:
Project Overview -> Project Settings -> Service accounts screen and A press the Generate new private key button.
I used that file and everything worked as expected

Resources