Reputation: 1046
Firebase API key restrictions
I am struggling to set up my SHA-1 key correctly and restrict the api key on android.
I have followed the steps to set up app-check using the SHA-256 key which works fine.
I have then added my SHA-1 key to my andriod api key on the GCP credentials page and added the relevant restrictions. I have also added it to the SDK setup and configuration on the firebase console.
If i add the api restrictions it works. The minute I add application restrictions (using my package name and SHA-1 key) it throws the following error despite the user being logged in (again without the application restriction this works fine)
User is not authenticated, please authenticate using Firebase Authentication and try again.
I generated my key using the steps in this link: Generate SHA-1 for Flutter/React-Native/Android-Native app
- Am i doing anything wrong? The app-check sha-256 works so why does the sha-1 key not?
- What is the difference between adding the SHA-1 key on the firebase SDK setup and configuration vs the credentials section on the GCP console
- Are applying the restrictions to the key actually required if using app check?
Upvotes: 0
Views: 857
Answers (1)
Reputation: 1388
There are two modes for applications: Debug mode and Production mode.
Usually, apps we test on emulators or in our mobile phones are debugged so we need SHA-1 for debug mode. If you use Generated Signed Apk then we need SHA-1 for production mode.
When we use firebase, you have to add the SHA-1 and SHA-256 to the firebase setting page. Then firebase automatically adjusts settings in GCP.
You can create credentials manually or firebase creates for you. I prefer the firebase way. So there is no difference.
So why we need SHA-1 or SHA-256 or restrictions?
Suppose someone copies your API key from your computer and adds it to their application. Now the cost for using the services will be added to your bill. It happened to a lot of people already. Just hiding the API key can be dangerous.
Another example, suppose you are the owner of your company. You hire someone and you give them an API key for testing or development purposes. Now if the developer sells the API key for 1 day (he can make ~1000$) to a medium-sized company. Then the cost will be added to your bill.
So we need some lock inside the server, So what we do is android studio creates a project and has a unique SHA credential. Then these are checked by the server and if they match then they allow them to use the API. So for your security, you can add the restrictions. I got a bill of 54000 INR from Amazon AWS due to the same mistake. But they adjusted because I requested them via mail.
Also, you can remove all restrictions and in this way, there will be no auth error (100% sure).
Example of API key - 12kmcasdi23n2jn3r2j423jn1o23mk3-934nof Example cost - $10/1000requests
Upvotes: 1
Related Questions
- Firebase App Check rejecting all requests from Android devices
- How to acces firebase data using a key
- Firebase security rules for mobile apps
- Securely Saving API Keys In Android (flutter) Apps
- Firebase Phone Auth on Android APK Release Version
- How to restrict API key if firebase don't have authentication?
- Firebase - restrict API key for web application
- API key not valid firebase auth
- Restricting Firebase API Keys
- Restricting allowed keys in Firebase