This question already has answers here:
Is it still possible to do server side verification of tokens in Firebase 3?
(2 answers)
Closed 6 years ago.
My Android app currently uses Google sign in and this works well. I add the tokenId to every server request and then verify it on the server. This was very easy to implement using this example (I'm using python).
I'm migrating this to go through Firebase so that I can easily add other authentication providers. My problem is that I can't seem to verify the token on the server. All I need is verification, no creation. Firebase seems to provide libraries only for Node.js and Java so I ccould use a standard JWT library like pyjwt. But where do I find Firebase's public key in order to verrify the token?
I found the answer in this post. The public keys for Firebase can be found here. The kid field in the header determines what key to use.
Related
This question already has answers here:
Locking down Firebase DB access to specific apps
(2 answers)
Closed 3 months ago.
I have two apps registered in Firebase, say App A and App B. I haven't setup any firebase authentication system but I want to allow requests only from App A and App B. I want to check if the request is coming from my apps and then only perform the actions. If the request is from somewhere else then just reject it.
I want to have this security for Cloud Firestore and Firebase Storage.
Currently, this feature isn't available, some of this will be rolling out in the near future using the new App Check: https://firebase.google.com/docs/app-check
At this time, App check only supports:
Realtime Database
Cloud Storage
Cloud Functions (callable functions)
This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Closed 2 years ago.
I'm trying to call the Firebase API. To call this API, we need to specify a user config key. How can I hide this key in my code? I have no idea how to do.
If I use the environment.ts file, after build, those keys are exposing in the main.js file.
main.js
Keys Exposed
Is there any way to avoid the exposure of these keys in main.js file?
Firebase is designed such a way that you do not have to hide these keys.
Please refer to doc here and extract below:
Unlike how API keys are typically used, API keys for Firebase services are not used to control access to backend resources; that can only be done with Firebase Security Rules. Usually, you need to fastidiously guard API keys (for example, by using a vault service or setting the keys as environment variables); however, API keys for Firebase services are ok to include in code or checked-in config files.
This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Should I hide firebase api keys into backend? Not due to data security but project cloning issue
(2 answers)
Closed 2 years ago.
I have been messing around with Firebase in a web app and realized there's something I don't understand.
In order for the JS code to send data to the Firebase servers, your apiKey has to be in the JS. But then that means your API key is public, and anyone using your website can inspect the code and just send arbitrary commands to Firebase on your behalf from the dev tools, or from any other site now that they have the API key.
I know I must be missing something, since this would make Firebase not useful. What is it I'm missing? What prevents users from sending arbitrary commands to Firebase with your ApiKey?
This question already has answers here:
How to create Firebase Authentication claims?
(3 answers)
Closed 3 years ago.
In my application I use firebase authentication and Google account as credentials provider. I would like to assign roles to users. In order to do it I would like to add custom claims to the authentication token a user gets during login. And here is my problem because I don't know how to add claims to existing user from the firebase console.
There is currently no way to set custom claims for a user in the Firebase console. If you think this would be a useful addition, file a feature request for it.
In the meantime the easiest way to add a custom claim is to do so from the a terminal window/command prompt using a small Node.js script like this:
admin.auth().setCustomUserClaims(uid, {admin: true})
Also see:
How to create Firebase Authentication claims?
This question already has answers here:
Firebase - Where is My Account Secret in the New Console?
(4 answers)
Closed 6 years ago.
I am trying to enable zapier to access firebase database of my project. I am not able to get the details they are asking for.
The zapier page says
On the firebase authentication tab (I couldn't find auth) I don't see anything named Forge
Any suggestions on how to get this Firebase secret?
At the right hand side of the project, click the Settings icon.
1) The API key should be available in General tab
2) The database secret should be present in Database tab