I've just opened a Firebase Cloud Messaging project intended for Android push messages.
The gear icon shows one server key (obfuscated here for obvious reasons):
I would like to have more than one key, so I can distribute them to servers and developers and revoke compromised keys if necessary.
How do I manage (add and delete) server keys in Firebase?
Update:
As of the moment, the way it should be done in order to generate a new Server Key, as stated in the docs:
Starting from Sept. 2016 new server key can only be created in the Firebase Console using the Cloud Messaging tab of the Settings panel. Existing projects that need to create a new server key can be imported in the Firebase console without affecting their existing configuration.
For the project migration steps, see my answer here.
For generating Server Keys, there is no way to generate one in the Firebase Console. It can be done via the Google Developers Console:
Go to your Google Developers Console
On the left-pane, click on Credentials
Under the Credentials Tab, Click on Create Credentials
Select API Key
Steps retrieved from my answer here
After you select API Key, it will directly create an API key without asking what type of key (Server, Android, Browser, iOS) it is. It will only allow you to set some Restrictions that was visible depending on which API Key you intend to generate.
By default, the key generated has No Restrictions, this makes a key vulnerable, that's why it is highly encouraged for you to add a restriction for your API key. In this case, since you are using it for FCM (Server Key is needed), you must add an IP Address restriction and only allow specific server IP addresses.
With that said, I don't know how you plan to integrate multiple server keys to a single Firebase Project though. Why not just make use of the IP Addresses restriction and remove the server IP address that are deemed compromised?
It's not possible to have multiple cloud messaging server keys per project. I'd suggest you to have multiple Firebase projects for your application development staging environments.
If needed, you can then re-generate the server key in the Google Developer Console.
On the top-left corner of the screen, verify that the correct
project is selected.
On the left-side panel, click Credentials.
Under Credentials tab, click Server key (auto created by Google
Service).
Click Regenerate key button
A confirmation box will show up asking if you'd like to replace the current key, then click Replace key button.
Note that the new key will be available immediately. The current key will be deactivated permanently in 24 hours.
After all of these steps, you can check that the cloud messaging server key of your Firebase project is now updated.
In Firebase, the Server Key is auto-generated. If you check out the Firebase project in the Google Developer Console, it will be listed as such. You can then create more Keys from there (but will not be listed in the Firebase Console, from what I can tell).
Basically, you can better manage the keys thru the Google Developer Console.
Hope this helps!
You should avoid distributing API keys for the same project. If any one of those using the API keys are found to be abusing it then the entire project will be throttled, affecting all keys for the project.
If you do want to have multiple developers send notifications to your application then have each developer create a Firebase project then have the client register with each sender ID. You will still have the ability to rotate the API key for each developer, or have the client delete the token for a developer that you no longer want to receive messages from. This way any abuse from one developer does not negatively affect the project as a whole.
Related
I received an alarming email from Google a couple of days ago stating that:
[Action Required] Firebase services for your application are malfunctioning due to Application restrictions
I have a Vue based website that uses Firebase for Authorization of users and storing files they are uploading. When I configured the API key that I set up, I restricted this key on the application level, to only work from the address of my website.
I did not impose any API restrictions - Under API Restrictions the radio button with Don't Restrict Key is marked
Having said that, when I try to use my website, I get the following error:
[403] Requests from referer [WEBSITE] are blocked.
The email I got from Google stated that:
Firebase SDK updates on February 27, 2020 (Android) and January 14, 2020 (iOS) replaced the Firebase Instance ID service with a dependency on the Firebase Installations API.
As a result, Firebase services like Firebase Cloud Messaging will malfunction for users who installed your app after it was released with updated Firebase SDKs. Additionally, repeated failing requests to Firebase may slow down the end-user experience of your app.
Application restrictions you have applied to the API key used by your Firebase application need to be updated to allow your application to use the API key.
Inside this mail, there were the following instructions:
Open the Google Cloud Platform Console.
Choose the project you use for your application(s). Open APIs &
Services and select Credentials.
Click Edit API key for the API key in question.
Scroll down to the Application restrictions section.
Change the radio button to None, and click Save, or add your
application to the list of allowed Android apps, iOS apps, or HTTP
referrers, respectively.
If the radio button already shows None you may be looking at the
wrong API key.
You can check which API key is used for the Firebase Installations
API by looking at the service usage page for your project.
Since I do not have any API restrictions and there is also no other API key that I have, I don't understand how to solve this situation.
One option that works is having no application restrictions, but I don't think that is the correct solution.
I also tried changing the API Restrictions to allow only the services from Firebase that I am using, but that did not fix the problem.
Any help or direction to a solution, will be appreciated.
I'm planning my project's migration from GCM to FCM.
An experienced FCM person says:
... after importing the project to Firebase, it would generate its own Server Key that you could use [in FCM legacy API calls to push to devices with GCM-generated tokens and FCM-generated tokens]
With this new Firebase Server Key I would no longer need the old GCM Server Key. Because the old GCM key won't be necessary I'd like to revoke it to limit possible attacks. Is it possible to revoke all old GCM Server Keys for a project after migrating the project to FCM?
It's possible. GCM Projects were provided Server Keys that are accessible via the Google Developer's Console (make sure you select the correct project).
From the screenshot above, you could see Server key (auto created by Google Service). The option to delete the API Key can also be seen here -- the trash icon is beside the copy icon.
If you already imported the project to Firebase, navigating to the Cloud Messaging tab would also show the old Server Key, aka the Legacy Server Key.
Choosing to delete the default Server API Key will show the following prompt:
This credential will be deleted immediately and permanently. Once deleted, it can no longer be used to make API requests.
Do you want to delete the credential?
Proceeding to delete the key, then refreshing both pages afterwards, would show a new auto created Server Key.
I found that Firebase Cloud Messaging has two ways to send Push Notifications.
I am aware of how the two ways are working and I have already implemented and tested my app and server using both ways.
However, I am required to disable the "Legacy server key" way of sending messages.
I cannot find how to disable this using Firebase Console.
Is it possible to disable the Legacy way of sending Push Notifications? How?
you have to enable the firebase messaging API from the google developer console
by clicking on the three dots and clicking on the "Manage API in Google Cloud Console"
after enabling the API go back to firebase and refresh then you will get the FCM key for messaging
There is currently no way to disable or even delete the Legacy Server Key from the Firebase Console. The Legacy Server Keys automatically get generated and tied to the project after creation.
There may still be a number of users (most coming from GCM) who still use the Legacy Server Key in their apps , which I believe is the reason why it hasn't been removed yet. Other than that, there is no other use for it as far as I know.
Update:
There is a way for you to delete the currently tied Legacy Server Key in your Firebase Project, however, I would like to point out that this might cause issues if not handled properly. Only do this if you are absolutely sure that you won't be using the Legacy Server Key ever again.
Here are the steps:
Go to your Google Developers Console Page.
After sign in, select the correct project on the upper right side. If you can't find it in Recent, go to the All tab.
After selecting the correct project, click on Credentials on the panel to the left. You should then see a list of keys, one of which is named Server key (auto created by Google Service). If you check, this is the same Legacy Server Key visible in your Firebase Project.
From here, you can click on the Pencil or Trash icon.
If you click on the pencil icon, it will direct you to a page where you can choose to Re-Generate or Delete the key. Choosing to generate a new key would give you a new server key, where the change would also reflect in your Firebase Project, while also still having the option to revert to it (only within the 24 hours limit).
Choosing to delete the key would automatically generate a new one for you, but you won't be able to have the option to revert to it.
Go to https://console.cloud.google.com/apis/library/googlecloudmessaging.googleapis.com?authuser=0&project=courseflutter-15e95&hl=en
Click enable
Refresh the page
Is it possible to set up Firebase to allow Auth/DB access into a common/shared database instance - where that instance is setup to be a centralized storage location for some 3rd party service?
For example, let's say there's an analytics service called StackOverflowAnalytics.com .. and so anyone who signs up for that service, can add tracking to their app with some secret user key. And then all the tracking for that Key is pushed to the same Firebase DB instance. And then the user can login via Firebase auth and the rules will restrict that they can only access the node for their Key.
I'm working on a 3rd party analytics client for Android - along the lines https://mint.splunk.com - where I would like to provide users a small Java/Android library they can add to their Android project, and this will help them track different data points while their app is running. The data is made accessible by saving it to the cloud from the device.
I am currently using Firebase, but it seems in order for the Firebase Auth & DB of a given Firebase instance to be accessible - the "specific app signing key" (package name/etc combo) needs to be set in the console for that Firebase instance.
It seems sharing across across unknown apps is not possible on Firebase. And that if I want to support something like that with Firebase (and not have to go to another cloud storage option), then I need to set up some proxy REST client .. like in Java or PHP .. that can serve as a centralized access point to that Firebase instance. Just wanted to check with other folks first in case this has been encountered and perhaps there are best practices already established around this particular case. Thanks
Firebase client libraries are generally not meant to be repackaged for use in other libraries. They're meant to be used at the app level.
A unique SHA-1 key is required on Android for Authentication to work with a particular app identified by package name. This requirement will definitely become a problem for you if you want this to work with arbitrary apps, since you would have to manually enter one for each app that wants to integrate.
As far as I know it's not possible to do what you want without creating a proxy, as you mentioned. I assume that firebase has some app validation that make unfeasible to share the Auth/DB.
Maybe a solution for you is to make a proxy too to access data:
"It looks like in order to access Firebase Analytics data, you export it to BigQuery. This is working for me and is automated."
My server key is not displaying at my firebase Console. What configuration should I do?
This is a known issue and is being addressed. Usually you would get into this state when the API key automatically generated by the creation of the Firebase project is deleted from the Google Developer console. The Firebase console UI currently only shows the automatically generated server API key, and nothing if that key is deleted.
You can still use any valid server API key in the corresponding Google Developer project. So go to the Google Developer console and use one of the Server API keys there or create one if it does not exist.