In Firebase console under Project Settings/General beneath the Project ID field there is a Web API key :
Where is this used? I know that the Server key found under Project Settings/Cloud Messaging is used as Authorization key to make calls to the firebase console:
I have also noticed that in google-services.json ther is an "api_key" property that has a "current_key" value which is different from both keys that I have mentioned. What is that key?
From my answer here:
current key - nothing is explicitly stated anywhere in the docs where it is used, however, among the 3 services where the google-services.json was originally used for before Firebase (Google Sign-in, Analytics, GCM), I'm guessing it would be between Google Sign-in and Analytics. As also mentioned by #DiegoGiorgini here:
The api_key value in google-services.json is not used by FCM. (it is used by other Firebase libraries)
So it can be for a separate Google non-Firebase or Firebase service.
Web API Key - this one I haven't had a chance to use before. However, I've seen other posts wherein this specific API key is used often on Web apps related to Firebase (possibly also for Auth purposes?), but I'm not entirely sure.
Server Key - as per the docs:
A server key that authorizes your app server for access to Google services, including sending messages via Firebase Cloud Messaging.
current_key (as per the docs) is the Android key auto-created by Firebase when creating a Firebase Android App. It's NOT used to control access to backend resources. Instead, it's used to identify your Firebase project when interacting with Firebase/Google services. Specifically, it's used to associate API requests with your project for quota and billing.
Web API Key (as per the docs): can be used to authenticate users by passing its value to the key query parameter in several API endpoints, e.g., sign up or sign in using email & password, generate refresh token, etc.
Server Key (as per the docs): is a server key that authorizes your app server for access to Google services, including sending messages via the Firebase Cloud Messaging legacy protocols.
Related
When we create a new project in Firebase and add iOS or Android app to it Firebase will automatically create API keys in Google Cloud.
Example: Android key (auto created by Firebase)
As per documentation it's not mandatory to secure those keys if we have proper security rules at the backend(Firestore/Cloud Storage). Of course an attacker can make a brute force attack using the authentication endpoints which can be mitigated by putting thresholds on authentication limits.
My question is would it cause a break in the app functionality or unexpected behaviour if an auto created API key is secured with a bundle id or SHA-1 key?
I received an alarming email from Google a couple of days ago stating that:
[Action Required] Firebase services for your application are malfunctioning due to Application restrictions
I have a Vue based website that uses Firebase for Authorization of users and storing files they are uploading. When I configured the API key that I set up, I restricted this key on the application level, to only work from the address of my website.
I did not impose any API restrictions - Under API Restrictions the radio button with Don't Restrict Key is marked
Having said that, when I try to use my website, I get the following error:
[403] Requests from referer [WEBSITE] are blocked.
The email I got from Google stated that:
Firebase SDK updates on February 27, 2020 (Android) and January 14, 2020 (iOS) replaced the Firebase Instance ID service with a dependency on the Firebase Installations API.
As a result, Firebase services like Firebase Cloud Messaging will malfunction for users who installed your app after it was released with updated Firebase SDKs. Additionally, repeated failing requests to Firebase may slow down the end-user experience of your app.
Application restrictions you have applied to the API key used by your Firebase application need to be updated to allow your application to use the API key.
Inside this mail, there were the following instructions:
Open the Google Cloud Platform Console.
Choose the project you use for your application(s). Open APIs &
Services and select Credentials.
Click Edit API key for the API key in question.
Scroll down to the Application restrictions section.
Change the radio button to None, and click Save, or add your
application to the list of allowed Android apps, iOS apps, or HTTP
referrers, respectively.
If the radio button already shows None you may be looking at the
wrong API key.
You can check which API key is used for the Firebase Installations
API by looking at the service usage page for your project.
Since I do not have any API restrictions and there is also no other API key that I have, I don't understand how to solve this situation.
One option that works is having no application restrictions, but I don't think that is the correct solution.
I also tried changing the API Restrictions to allow only the services from Firebase that I am using, but that did not fix the problem.
Any help or direction to a solution, will be appreciated.
So I am fairly new to firebase and new to the more advanced concepts of gcloud and i'm setting up firebase with hosting and analytics and in the gcloud console it generated a Server key and a Browser key however they look like identical keys, both unrestricted, and when i copied the code for the fire base analytics google sent me an email warning me about the api key being public (public github repo) is it safe to publish the unrestricted browser key, if so why? If someone could explain how api keys work within google cloud that would be great.
The Google Cloud Platform has a number of API keys. These are generated for Android, iOS and web (Browser) applications and there is also a Server API key. Anyone with an API key can call the REST APIs on resources on the project it was generated for. This can incur major billing charges!
It is advisable to restrict API keys. Only give them access to the APIs they need to use. Android and iOS keys should be restricted to the applications the project support.
The browser key is the one to be careful with as the key is stored in a JavaScript object and easily obtainable. It should be restricted to the domain the web pages are served from. If email address and password authentication is enabled, an unrestricted API key can be used to create and modify users.
So no, it is not safe to publish an unrestricted browser API key.
If I share a user's Firebase device ID key (for a user who has my app installed) with other Firebase service providers, can they send messages from their account (using their authentication key) to a user who has my app installed?
Yes I do realize the process of sharing a user's Firebase device ID key could be problematic. The problem I am trying to solve is that I want multiple providers to be able to send messages to a user who has my app installed.
The Firebase Instance ID (also known as a registration token, or FCM token) identifies an installation of your app on a specific device.
Sending messages to such tokens in a project always requires an additional form "authentication.
The Firebase Cloud Messaging versioned REST API requires that the user has a service account. If you create a service account for each of your service providers, you grant them complete access to your Firebase project. So they can't only send FCM messages, they can also access every other Firebase product: e.g. delete your database, read all your users, etc.
The legacy REST API for Firebase Cloud Messaging instead uses a Server Key to authorize its callers. If you share your FCM server key with other service providers, they can only send FCM messages with that key. But they can send whatever messages they want to whatever user.
You might want to consider setting up your own API endpoint on Cloud Functions for Firebase. That way you can determine yourself how to secure that API, and what you allow your service providers to send to what users of your app.
Assuming that the Firebase Device ID Key you're referring to is the FCM Registration token, then having the value alone won't enable others to send a message to it without the corresponding Server Key it is associated with.
For your use-case of allowing multiple senders to a single app, you could refer to the official documentation on Receiving messages from multiple senders. I believe my answer here could also be helpful.
Is the new server key restricted to messaging only?
explanation:
In firebase project settings, I can get "old" and new server keys(cloud messaging tab).
The old ones don't work to send push notifications via https://fcm.googleapis.com/fcm/send because the response says that it is a legacy server key. But it can be restricted to certain google apis here https://console.developers.google.com/apis.
The new is not listed in google apis console, but works.
We want to share the server key with partners, but won't allow to do other stuff. The new HTTP API V1 with OAuth2 is not an option unfortunately.
According to docs:
Server key (for legacy protocols): A server key that authorizes your app server for access to Google services, including sending messages via the Firebase Cloud Messaging legacy protocols.
Which services are here meant?
Got response from Google: Yes, the new server key is restricted to cloud messaging only.