Where are the Firebase database rules "Access Denied" messages logged on the Firebase server?
We are using the JavaScript web version of Firebase client libraries. The answer below is referring to Android or iOS but can we get automatic logging / analytics on the Web version?
For example, one of our customers sees:
firebase issue Error: permission_denied at
/companydata/Global/eJztlD9PwzAQxb8K8pyBVqJDtkIpCtA/IpQFMRzJtbXq2NHlUhRV/e6ck4LKQioQagc23z3n+efn2Bs1JUx1AoyFCp83KmLM7rBSoZq7OVZWBWryWiCtgbWzjSK9JzAlynDs/IQcCdiRCs8DFRUTGczBFBioK2cZtEWK0lqcAqHlz64KbWmM/+beLQTC7Ck7h2hhHWGMQMlyqNGID1OJ22AfNVtQG+jsMj4F0hbKv0L0IAcSyrHrHx97s04r6Okn8vtfEmiF3JbjLeRg/6P8Pkqu8k5bkCNnsTobrfjLJjvHueSpy5ZtwP2yYAKj4UjAL4GKHbFw+XdfqhtyZb4rD01/oAkT3xFy7/jg3obaMNLOc5J7UQqVlBTO4oH67HXrZSxk2KiirD+eaplX8zEQ97ne+COsROpeSATk0jJhH0ivF6hry5qrceMzNXKbtu/y+E4I:
Client doesn't have permission to access the desired data.(…)
I'd like to see these errors in a log somewhere on the Firebase console.
Is there a place to see data rules denials?
Thanks!
There is no server-side location where these error messages are captured that you have access to.
You will have to reproduce the client's behavior locally or use the Firebase Database rules simulator to reproduce it.
I think that you have to do it (logging denied access), manually.
Firebase analytics collects some events by default. Here you can find the list of those events. And here is an example of how to add log events in android.
Related
I have a React.js application powered by a number of Firebase functions and real time database standing behind them. It has been working without any issue for the past 2-3 months and now I am getting a warning on the functions logs which says that:
#firebase/database: FIREBASE WARNING: {"code":"app/invalid-credential","message":"Credential implementation provided to initializeApp() via the \"credential\" property failed to fetch a valid Google OAuth2 access token with the following error: \"Failed to parse access token response: Error: Server responded with status 404.\"."}
The way I initialize firebase from my React.js application looks like this:
I have double-checked everything standing behind process.env and it seems to be as expected. The website written in React.js in hosted under the Firebase hosting.
And this is how Firebase functions connect to Admin SDK:
I am not sure what would be the issue here. Nothing has changes in the code base from our side. Not sure if Firebase changed something internally that we need to consider.
What solved the issue for me was to go to the google cloud console (where Firebase functions are also available). Then I opened one of the failing cloud functions and I navigated to
My_Function_Name/Edit/RUNTIME, BUILD AND CONNECTIONS SETTINGS/RUNTIME SERVICE ACCOUNT/
And then I noticed there that for all of my functions it was selected App Engine Default Service Account instead of Firebase Admin SDK. I never explicitly set the runtime to this option. So, when I brought it back to Firebase Admin SDK the error was gone I was able to use the application once again.
Is there any way to see the specific collection / rule that is failing in Firestore? I've looked in firestore-debug.log (running on localhost) as well as in the Firebase UI. Firestore logs the error to the console, but does not include the information I need to debug the permissions:
Firebase intentionally does not disclose information about what rule is failing, as it would give malicious users information you don't want them to have.
The best information is typically available in the emulator in the Firebase console, which tells you what specific rule has failed.
Error messages delivered to the client SDK will never show the root cause of the rejection, as that would reveal something about the security measure to a potential attacker.
If you want to test and debug your security rules locally before you deploy, you can use the Firebase emulator suite to get detailed information about how your rules are working with client code that would make queries against them.
https://firebase.google.com/docs/firestore/security/test-rules-emulator
https://firebase.google.com/docs/rules/emulator-setup
How do to enable data access log and audit log for Firebase. In GCP Platform, I am able to see audit log and data access log for cloud datastore. How do we enable the same in firebase?
I have few tables in firebase, client is complaining of few calls not being serviced and has got the error in connecting. 3 requests failed out of 821 requests.
This feature is available for firebase firestore now.
https://cloud.google.com/firestore/docs/audit-logging
Need to enable IAM audit log for Firebase API and that helps in tracking the firebase activities.
There is no accessible data access log for the Firebase Realtime Database. If you can reproduce the problem, you might want to reach out to Firebase support to see if they can find the missing client calls in their logs.
I just deleted my flutter app from firebase console , but it is still working and changing data in the realtime database.
Can anyone tell me how its still connected with the firebase?
Thanks
According to Firebase documentation, when you delete an app:
Corresponding API keys or OAuth clients are NOT deleted. You can clean
up the API keys or OAuth clients in the Google APIs console
credentials page. Deleting these resources will break installed
applications: your users will no longer be able to authenticate or
sign in.
Access to the realtime database is not limited to apps that are registered in the Firebase console. Any code that has the proper configuration for your database, can try to access that database. If you want to be more selective in who can access the database, you will need to do this with Firebase's server-side security rules, typically in combination with Firebase Authentication.
I used firebase.auth.signInWithPopup() from this documentation. However, I am getting this warning on the popup window saying that my app isn't verified yet. See image below.
I don't know where to start from here since as far as I can remember, I can't find anything about this on the firebase auth docs. Any advice?
Google now requires apps be verified when you request certain sensitive data:
https://developers.googleblog.com/2017/07/new-security-protections-to-reduce-risk.html
Firebase is not exempt. Why should it be? Any attacker can create a Firebase account with Google provider enabled and try to phish Google users with it.
Verify your app through this link OAuth consent screen