For some reason, my firebase project apikey associate with database changed. I can still create another api key, update into the application.
But when user try to reset password, the link use the old key and lead to "Your request to reset your password has expired or the link has already been used" (I think I read this problem somewhere and now I found the reason).
Is there anyway to update new api key for an existing firebase project?
Thank you
Somehow, my original apiKey was recovered. You can find the original key (which were deleted from console.google.com) associated with the application on the main firebase page, through
Overview > Project settings > GENERAL
Basically, when users requested to recover the password, firebase will send an email with recovery link. If you have a look at the link, you will see the API included in the link is the one that no longer exists.
I recommend you to contact firebase support. I don't have an official way to solve the issue but here is quick I can think of, following as
Create new API at console.google.com > choose your firebase project
Create a page with a function that can read URL parameters. Make it receive firebase recovery password URL and replace dead API with new
one, then redirect you to new firebase recovery password URL
Edit email template by adding the page you created on step 2, with firebase recovery full URL as a parameter
To be more accurate, here is an example.
I have my project called "MyFirebaseProj", my domain is "example.com"
I go to console.google.com, choose "MyFirebaseProj", on API Manager panel, choose Credentials > Credentials. Click on Create credentials > API Key. So I got a new API key call "MyNewLongAPI".
I created a recover-password.html password and have this javascript function https://codepen.io/hieunc229/pen/mWwVbv (this one will read the firebase url, get oobCode and generate new URL). Edit the javascript so it will redirect the user to new URL. Upload this one into my host (mydomain.org/recover-password.html)
On Firebase console, Authentication > Email Template > Reset Password. Change the link to something like
<a href='http://example.com/recover-password.html?url=%LINK%'>%LINK%</a>
Then save it
Now when user go into your recover password page, they will be redirected into firebase url with new API and it should works
Hope it helps!
If anyone run into the same issue, as I get in touch with Firebase team and they are investigating about it. Currently there haven't been a way to help it.
Related
Recently i build a app using Firebase, But after i got Some users through advertisement, Someone just hacked Firebase database and Updated all user datas like .
Username
Profile pic path
They set it to a bad word and bad pic.
So then i Also Checked the Firebase rules and redefined them..
Like
Only Authenticated users can read/write.
But problem is.
The hacker is still updated the Value on firebase db.
and i want to know what i am missing.
Is it possible to update a Firebase db without the whole secure key and things..
using a browser may be?
User data of a single user ...
email : "https://m.me.developer.scg"
lastseen : "1617987743"
pic : "https://www.dropbox.com/s/03a50cx4adxqepk/(url cannot be posted publically it contains nude images)"
privacy : "PU"
state : "offline"
status : "Lets watch some movies"
type : "FREE USER"
username : "FU*KED BY DreamPLAY"
Here the hacker updated the 3 fields.
email :
pic:
username:
You have to know that as soon as (1) someone has the apiKey of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the apiKey is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on auth != null allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
I will answer as parts :
Reason of Problem :
The Hacker found your API then created project and added your API to it then he
created authenticated user then he updated the fields , So this the reason of
problem
Solution :
First : is to create unique Fields (e.g Email to 1234567890Email as
Example but more secure)
Second : is to connect to Google Cloud Platform then setup Google Cloud Platform HTTP with your Domain (As Firebase will only accept data from your Domain ONLY)
Third : Is to create more secure rules as to denied access to Entire Database but just
give access to some collections or even documents So it will be more
secure
I just covered the most famous actions (You can see more but by google your problem)
& Wish I helped you :)
I just thought of a way to secure Firebase credentials so thought of a way to use a custom cloud functions authentication function (URL based function) to accept user credentials like username and password via URL encoded parameters. This method will only use database(firestore would be preferable). The function will only have to create custom tokens and send it to the user while keeping the user's temporary data like IP addresses etc. So request to write or read to the database will only be granted to this function.
You CAN prevent all those non authencated activities right from your firebase console.
GO to your firebase console, Open your project's android app.
Add SHA fingerprints of your app's SHA signing certificate fingerprints.
I am going over to a Wordpress and my WP plugin is asking me about "Authentication Code" And I have no idea where to find it.
Without the plugin name it is hard for me to determine what specific authentication code is needed, so I'll assume that you mean the OAuth Client ID. Please, forgive me if I am mistaken. You can generate a new OAuth Client ID following this steps:
Open Google Cloud Console and select your project.
Go to Navigation menu ⮞ APIs & Services ⮞ Credentials.
Select +Create credentials ⮞ OAuth client ID at the top.
You'll be prompted to select an application type. In case of a Wordpress plugin you need to choose Web application and give it a descriptive name.
Click on +ADD URI and include your webpage URL. This action will whitelist your webpage to authorize this OAuth client.
Tick Create to finish the process and annotate your client ID and secret.
With this procedure you would have created an OAuth client ID and its secret. Now we can take this client/secret pair and use it to request an authorization code over some Calendar API scopes.
After getting an authorization code, you can ask Google to exchange it for a pair of refresh and access tokens that you can use on every call to the Calendar API.
Following these steps you would have created every authentication code possible, you just need to determine which one is the required for that specific plugin. Please, don't hesitate to ask me any additional doubts.
I have read the functions docs and the authentication codes on the firebase website, but I have no clue if it will be secure or not. I've read the whole of this doc: https://firebase.google.com/docs/auth/custom-email-handler
They seem to do all the verification on the website but I can't find the verifyPasswordResetCode(actionCode) function in the node.js doc so what way would you go around this?
Basically, if the user forgets their password/needs to verify their email I want the user to go to my website (I've already configured the custom action URL that is sent when the user requests to reset their email to go to 'mywebsite.com/auth/action/.../'. I know that the my front end (IOS App) needs to verify the code and then In my functions (that's hosted on my website) I need to reset their password, but how would I securely transfer information from the email to my app, to my website with the function to reset their password with the action code. Or can I do it all on my website instead of where they input their new password on the website? I'm guessing using dynamic links?
Thanks,
Nathan
in console firebase, in the menu Authentification -> Templates
There is a sms verification template :
%LOGIN_CODE% is your verification code.
How to change this message template?
firebaser here
Neither the email verification template nor the SMS verification template can be modified. You can select the language from the Firebase console, however this is a per project setting and you can't modify the templates.
We understand that changing the template would allow you to tweak the user-experience of your app, but we don't allow this to prevent abuse of the service.
Update 1 year later, still a no go, but I received this back from support
The Firebase SMS Authentication message content will depend on the
platform you are requesting that message from. Here is a list of the
possible variations you may get:
iOS and Android - The SMS messages draw the app's name from the App Store / Play Store. One an app is published, the correct name
should start appearing. There may be a small delay (a week or two at
most).
Web - It will always use the domain that the SMS is requested from. To modify it, you can setup a custom domain.
iOS (using Recaptcha) - Phone authentication on iOS will show the project's url instead of the app's name in the verification
SMS when using the reCAPTCHA flow. This is expected behavior. The
reCAPTCHA flow was added for cases where an APNS token is not
available (including on real devices). If APNS is not correctly
configured, a real device will default to the reCAPTCHA flow.
Unfortunately, neither the email verification template nor the SMS
verification template can be modified. You can select the language
from the Firebase Console, however this is a per project setting and
you can't modify the templates.
We understand that changing the template would allow you to tweak the
user-experience of your app, but we don't allow this to prevent abuse
of the service. I hope this clears your consults about this topic. If
you happen to have any more questions, please, do not hesitate to
write back!
Meanwhile you cannot change the content of the message, you can change the app's URL mentioned in the SMS.
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
Send a new test message, you're good to go.
As per Firebase Support the %APP_NAME% should be shown in your firebase settings wherein the %APP_NAME% is called after Public-facing name in public settings.
EDIT:
I checked first where is the location of "localhost" and wherein i found on "Authentication>Sign-in method" then under 'authorized domain' you will find "localhost" in order to change the localhost you need to add a new domain.
Note:
be careful on deleting localhost to your authorized domain. It will take time to function OTP request.
This one helps;
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
I am having some trouble figuring out how I can let users set their API credentials to get read-only data from the Google Calendar API.
I have it set up to use OAuth to allow a fallback. It allows the user to click for an access key to copy over and save.
However, I am finding an issue when I try to make it so users can enter their own API settings.
I tried the same method I used for the fallback, but even if they enter those credentials in they would still need to authenticate it with an access key.
So I guess my question is how can I just include a simple API key to be saved and used to get the data?
I haven't been able to find very many resources or documentation on this so even pointing me in the right direction will be very helpful.
Thanks!
EDIT:
So here is a link to the part of the Calendar API I need to use: https://developers.google.com/google-apps/calendar/v3/reference/events/list
And if you compare it to the top of the page of this API page: https://developers.google.com/google-apps/calendar/v3/reference/events/delete
You will see the delete specifies that it requires Authorization, but the List does not. All I need is the list but when I have tried to connect with it without any authorization it does not work. Am I missing something?
If the data is not public, the users will have to authenticate with Google and enter the access code on your plugin configuration. Google Analytics for WP does this, check its source.
I don't see the problem with having the users authenticating, but one alternative is to add support for service account, like the Google Drive WP Media does. In this case users of your plugin will enter the service account email and upload the private key file (I'm not sure if the Drive WP plugin implements it in a secure way).