I am using firebase topic subscription to push notifications in my Electron app. As of now I am hardcoding all the config properties like authorization key, topic, senderId etc in my app. Is there any way I can access these params based on the environments?
In short instead of hardcoding config properties are there ways to load it dynamically after packaging the app?
Related
I create buckets on GCP Storage using the Node.js library. Later, I want to access these GCP Storage buckets from my Firebase iOS app. However, I can't. I receive the following error when trying to access my existing GCP buckets from my iOS app:
Your bucket has not been set up properly for Firebase Storage. Please visit https://console.firebase.google.com/project/MY_PROJECT/storage/files to automatically repair this issue and then retry. If the issue lasts longer than five minutes, you may have insufficient permissions to repair the project. You can check your permissions by visiting https://console.firebase.google.com/iam-admin/iam/project?project=MY_PROJECT."
It seems like I need to go to the Firebase Storage console and manually import existing Google Cloud Storage buckets to my Firebase project (as suggested here).
How can I import existing GCP Storage buckets to my iOS Firebase project programmatically? Or, is there a way to access existing GCP buckets and perform operations on them from my iOS app using Firebase Storage library?
Note: I'm on the Blaze plan. firebase-storage#system.gserviceaccount.com is added to my existing GCP buckets as Storage admin, just like it is for my default Firebase Storage bucket.
Here's a screenshot from Firebase console that explains the situation.
I found a doc which talks about The Firebase integration with Google Cloud Platform. It says:
Cloud Storage for Firebase is tightly integrated with Google Cloud Platform. The Firebase SDKs for Cloud Storage store files directly in Google Cloud Storage buckets.
Meaning that there shouldn't be problems when trying to call your GCS buckets from your app. There are a number of ways to access data stored in your Cloud Storage bucket, depending on what you want to do.
For the integration itself, I found this GCS buckets and Firebase Quickstart. Yes, it's mentioned that you need to specify your bucket's location.
It's mentioned that
Read and write access to Storage is restricted so only authenticated users can read or write data
Meaning that you have to implement an authentication process within your app. Check also the Firebase authentication so we can also get rid of the insufficient permissions part.
Hope this is helpful.
EDIT: Maybe I forgot to mention about the Security Rules. After you set them, your app (and your users) will have access to your GCS buckets.
I also found a very similar case here.
Having encountered the same issue, I'm afraid there is no available programmatic solution right now.
Even if a bucket is created from the Admin SDK in a cloud function, it is not automatically attached to the Firebase project, which is required to apply some security rules and use it on the client side.
The attachment process itself looks like a black box. There is no IAM apparent change after the bucket selection and process validation in the Firebase console.
So, at this date, I would not recommend using custom buckets in Firebase projects for the following reasons:
It appears not possible to programmatically attach a custom bucket to a Firebase Project, the only working method being a manual addition via the web console
Regarding the very promising admin.securityRules() functions namespace, this is quite new (end of 2019) and the documentation lacks some thorough examples.
I have built an app with Electron and Electron Builder.
My app requires an API key to work, which should be generated when users download my app. My application somehow needs to know this API key in order to recognise the user.
However, I can't put the key statically into my codebase, because it will be generated for every user, which would require me to compile the app for every user with the appropriate API key.
Is there an easy way to create a configuration file in a second step after building my application or how would I solve this problem?
TLDR: All I want to do is secure my cloud function in Parse so that it only accepts requests from my iOS app. How can I do that?
Longer version:
I recently got started with using Parse for a client side app I'm building using a Google API.
Before using Parse, my issue was that the Google API calls from my app were not secure. I tried a Man in the middle attack on my app, and I was able to successfully get the bundle id and app id (Google claims some form of security is achieved by ensuring that the call is from the correct bundle id that you can specify on their console). So despite using SSL, seems like it was easy to get this information. Now this Google API is paid, so someone could easily abuse my key when I release my app and raise my bills.
I was anyways also thinking of doing some lightweight work in the backend, so I figured to use Parse. Now the call to the Google API is done in Cloud Code. But a new problem I'm facing is how to secure calls to the Cloud function I've defined in Parse? The Parse App ID and Client Key aren't secure at all.
All of Parse's blogs keep talking about creating users and defining ACLs etc. But in my case, there is no data in my Parse app and there is no user per se. It simply calls the Google API and returns the result. All I want to do is secure my cloud function so that it only accepts requests from my iOS app. How can I do that?
The inherent security risk here is that any key you store in your app is vulnerable, for that reason encryption is also vulnerable. My recommendation is to use the automatic user in Parse on your iOS app, you could even throttle excessive requests/abuse by a single user. By creating and using a user you are able to gain the benefits of ACL which appears the best security option available in Parse currently. At that point you send the automatic user in your cloud code request and verify it's a valid iOS user.
I started a few weeks ago to develop my first IOS app and it requires Twitter and Facebook Login.
I am very surprised about the different approaches that both platforms take in terms of security/authentication.
Facebook uses the IOS Bundle ID approach, which seems great, since every Bundle ID is unique and you cannot publish an app Bundle ID in behalf of another user, so is pretty easy for Facebook to figure out if your are who you say you are.
Twitter uses his traditional Key/Secret pair that uses in Web/REST applications in IOS as well, while it works for the Web because you don't need to expose those keys to the Client, that is not the case for IOS applications.
According with the official documentation
"To initialize the Twitter Kit with your app’s credentials, pass them
to startWithConsumerKey:consumerSecret:"
"Calling startWithConsumerKey:consumerSecret: will override any keys
which were automatically configured. Automatically configured keys
live in your app’s Info.plist under the key"
My understanding is that even if I use my keys, or I use the keys generated by Fabric, those will be exposed on the plist which is a non-secure method to store private keys.
I am sure I am missing something here, please clarify me how it works.
I need to build a app that upload video youtube, my question is about logging in google. My app is for only one client, i don't want the user need to logging in youtube then before allow access to my app. I think if I can set tokens in a config file, is this possible? If yes, how i get manually the tokens to store in the config file?
Yes. You authorize the application on YouTube, get the tokens and store them. The application will then use the tokens that were stored. I've done it before (mainly for testing purposes) and it will work fine.