firebase app check is not working with web client? - javascript

I have followed the official firebase app check installation tutorial:
https://firebase.google.com/docs/app-check/web/recaptcha-enterprise-provider
And I'm only getting errors.
I created and setup firebase project
Added app check library to my app
copy pasted app check initialization for web:
const appCheck = initializeAppCheck(firebaseApp, {
provider: new ReCaptchaEnterpriseProvider(
"my_recaptcha_key_here"
),
isTokenAutoRefreshEnabled: true, // Set to true to allow auto-refresh.
});
Enforced storage, enforced firestore from my console.
According to the tutorial, thats all you need to do.
RESULT:
Can't access anything from firestore, I get:
#firebase/app-check: FirebaseError: AppCheck: ReCAPTCHA error. (appCheck/recaptcha-error).
When uploading to storage, I get:
#firebase/app-check: FirebaseError: AppCheck: Fetch server returned an HTTP error status. HTTP status: 403. (appCheck/fetch-status-error).
Why is this happening, I have done all the steps in the tutorial?

Please make sure that the App URL is added to the reCAPTCHA allowed domains list.

Related

Forge & Jira: Getting 403 when requesting board configuration using requestJira

I'm building a Jira App with Forge where I retrieve board data from the Jira Cloud Rest API. Data retrieval is done in a client-side script using requestJira from #forge/bridge. I'm able to successfully retrieve a list of all boards using the route /rest/agile/1.0/board but when I try to retrieve the configuration of a selected board using the route '/rest/agile/1.0/board/' + boardId + '/configuration' e.g. /rest/agile/1.0/board/4/configuration, this leads to the error response 403 "Forbidden".
In manifest.yml I have defined permissions as follows:
permissions:
scopes:
- read:jira-work
One should think that this should be enough for retrieving board configurations, particularly since the retrieval of the board list was successful. If not, then what is the required permission in this case? Or what else might be going wrong here?
I also tried executing api.asApp().requestJira('/rest/agile/1.0/board/4/configuration',{}) from #forge/api on the server side. Result was the same, i.e. also a 403 response.
The route /rest/agile/1.0/board/4/configuration works fine when pasted into a browser's address field after the URL of my dev instance.

Firebase Messaging v1 401 Project Not Permitted error

I am running a node server with the firebase admin sdk. However, everytime I try to send a push notification from the server, I get a 401 error.
Here's the exact error I'm getting:
errorInfo: {
code: 'messaging/authentication-error',
message: 'An error occurred when trying to authenticate to the FCM servers. Make sure the credential used to authenticate this SDK has the proper permissions. See https://firebase.google.com/docs/admin/setup for setup instructions. Raw server response: "<HTML>\n' +
'<HEAD>\n' +
'<TITLE>PROJECT_NOT_PERMITTED</TITLE>\n' +
'</HEAD>\n' +
'<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n' +
'<H1>PROJECT_NOT_PERMITTED</H1>\n' +
'<H2>Error 401</H2>\n' +
'</BODY>\n' +
'</HTML>\n' +
'". Status code: 401.'
},
codePrefix: 'messaging'
I'm not exactly sure why I don't have permissions to the project. I have setup my service account, and downloaded the .json file. I even went into the gcloud platform and tried to add any permission that looked correct. Below are all the permissions associated with my service account:
I am running the server locally, and initialized the app like this:
const admin = require('firebase-admin');
const messaging = require('firebase-admin/messaging');
const serviceAccount = require('<path-to-key>');
const fbApp = admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
projectId: '<PROJECT_ID>',
databaseURL: '<DB_URL>'
});
I am not sure what else to do as I've looked through the v1 documentation multiple times and still don't have any clue as to what permissions I'm lacking. I even made sure to "firebase login" into the correct google account to see if that could've been an issue.
Here's my code to send a message:
const sendPushNotifications2 = async (topic, reminder) => {
const payload = genPayload2(reminder);
//await messaging.getMessaging(fbApp).sendToTopic(topic, payload);
await admin.messaging(fbApp).sendToTopic(topic, payload);
};
I have verified the client_id, client_email, and private_key_id values in the .json file. I haven't yet verified the private_key property because I'm not sure where to find it.
It turns out that I had this API disabled: "Firebase In-App Messaging API"
It also turns out that this question was asked before, but I wasn't able to find it. Here's the answer
If anyone else runs into this issue this was my fix:
go to the google cloud platform website
go to APIs and Services
go to Enabled APIs & Services
click + Enable APIs and Services
search for Firebase In-App Messaging API and make sure it's enabled.
You can also just search for messaging and make sure that all the cloud messaging APIs are enabled.
The problem is that new Firebase projects have only the new "Firebase Cloud Messaging API (V1)" enabled by default, and with that configuration - the official firebase-admin NodeJS library will not be able to send messages and will get 401 PROJECT_NOT_PERMITTED errors.
To be able to send message from your server, you MUST also enable the older "legacy" API.
From your Firebase console, go to Project Settings and open the Cloud Messaging tab.
Make sure that both APIs listed are enabled - see screenshot of how it should look:
If any API is not enabled, for the API that is disabled click the three dots menu on the right and select "Manage API"
In the Google Cloud Console page that opens, click the "Enable" button.
Note:
This is basically the same answer as #Tial's self answer, but I was confused by it and (as commented) it got some things wrong - it took me a while to understand it (and the linked answer) to get it right, so I had to clarify.

Firebase authentication error: auth/invalid-credential

I've been experimenting with the authentication service provided by firebase for more than 2 weeks. Everything was perfectly working until yesterday it became impossible for me to use the facebook auth provider neither twitter to make users connect to my web app.
I've tried to sign out and sign in, I deleted my facebook and twitter apps and created others even with other accounts and the problem persists.
The same problem occurred when I tried to use the code they provide on their github which was working before.
The strange thing is that it's working fine when I use the google provider or the sign in with email and password method.
PS: I made sure the providers are enabled in the console.
const signInWithFacebookButton = document.getElementById('signInWithFacebook');
const auth = firebase.auth();
const signInWithFacebook = () => {
const facebookProvider = new firebase.auth.FacebookAuthProvider();
auth.signInWithPopup(facebookProvider)
.then(() => {
console.log('Successfully signed in');
})
.catch(error => {
console.error(error);
})
}
signInWithFacebookButton.addEventListener('click', signInWithFacebook);
Error message when I try to authenticate using facebook :
{code: "auth/invalid-credential", message: "The supplied auth credential is malformed or has expired."}
Error message when I try to authenticate using twitter:
{code: "auth/invalid-credential", message: "Error getting request token: 403 <?xml version="1.…ode-project-fd88e.firebaseapp.com/__/auth/handler"}
For Twitter login, the error code 403 indicates that access to the URL by the client is Forbidden. It gives such an error because you have to whitelist callback URLs(your site).
From documentation,
As part of our continued effort to ensure safety and security on the Twitter developer platform, any developer using Sign in with Twitter must explicitly declare their callback URLs in a whitelist in the Twitter apps settings which can be accessed in the apps dashboard when logged into your Twitter account on developer.twitter.com. This means that if the callback_url parameter used with the oauth/request_token endpoint isn't whitelisted, you will receive an error.
So in Twitter app settings, you have to add your URL say for example,
https://sitename.example.com/auth/twitter and https://sitename.example.com/auth/twitter/callback
You want to use https://yourdomain.com?source=twitter as your callback URL
Add this to the Twitter app dashboard: https://yourdomain.com
Use this in your call to oauth/request_token: https://yourdomain.com?source=twitter.
Refer this community article for more detail:-
Twitter callback URLs
This is worth as an answer: Always click to show your Facebook app secret before copying and pasting it into Firebase setting console. It is counter-intuitive, but Facebook did not implement the clipboard correctly so the hidden asterisk characters will just be copied and pasted verbatim.

Firebase: How to handle invalid firebaseConfig passed to firebase.initializeApp()

I am having an angular app which connects to 2 firebase projects:
The default project is connected on app load via AngularFireModule.initializeApp(environment.firebaseConfig) (AngularFire2)
The secondary project is connected at run time via firebase.initializeApp(firebaseConfig, 'pr1'); (Firebase JS SDK)
Now the firebase config of the 2nd project is received from user through UI. So I need to validate if the firebase project exists with given credentials, before I could do any operation.
Calling res = firebase.initializeApp(firebaseConfig, 'pr1'); with invalid apiKey, authDomain, projectId, storageBucket, etc., is not throwing any error, but successfully returning a FirebaseAppImpl object.
After initialization, calling
res.auth()
res.storage()
also doesnt throw any errors but returning me proper objects.
Only for res.database(), I am getting a console warning as follows:
#firebase/database: FIREBASE WARNING: Firebase error. Please ensure that you spelled the name of your Firebase correctly (https://[invalid-url].firebaseio.com)
But its not throwing any errors, that I could act on.
I need to validate the given keys, and alert the user that 1 or more key is wrong. Any suggestions on how to do this?
Update 1:
Had a look at Firebase Management API: https://firebase.google.com/docs/projects/api/reference/rest
It has many functions like creating, retrieving projects.
But I am not sure, how to make use of any of these APIs to my requirement.

facebook graph api node.js invalid appsecret_proof

this is my first post so please go easy on me!
I am a beginning developer working with javascript and node.js. I am trying to make a basic request from a node js file to facebook's graph API. I have signed up for their developer service using my facebook account, and I have installed the node package for FB found here (https://www.npmjs.com/package/fb). It looks official enough.
Everything seems to be working, except I am getting a response to my GET request with a message saying my appsecret_proof is invalid.
Here is the code I am using (be advised the sensitive info is just keyboard mashing).
let https = require("https");
var FB = require('fb');
FB.options({
version: 'v2.11',
appId: 484592542348233,
appSecret: '389fa3ha3fukzf83a3r8a3f3aa3a3'
});
FB.setAccessToken('f8af89a3f98a3f89a3f87af8afnafmdasfasedfaskjefzev8zv9z390fz39fznabacbkcbalanaa3fla398fa3lfa3flka3flina3fk3anflka3fnalifn3laifnka3fnaelfafi3eifafnaifla3nfia3nfa3ifla');
console.log(FB.options());
FB.api('/me',
'GET',
{
"fields": "id,name"
},
function (res) {
if(!res || res.error) {
console.log(!res ? 'error occurred' : res.error);
return;
}
console.log(res);
console.log(res.id);
console.log(res.name);
}
);
The error I am getting reads:
{ message: 'Invalid appsecret_proof provided in the API argument',
type: 'GraphMethodException',
code: 100,
fbtrace_id: 'H3pDC0OPZdK' }
I have reset my appSecret and accessToken on the developer page and tried them immediately after resetting them. I get the same error, so I don't think that stale credentials are the issue. My
console.log(FB.options())
returns an appropriate looking object that also contains a long hash for appSecretProof as expected. I have also tried this code with a number of version numbers in the options (v2.4, v2.5, v2.11, and without any version key). Facebook's documentation on this strikes me as somewhat unclear. I think I should be using v2.5 of the SDK (which the node package is meant to mimic) and making requests to v2.11 of the graph API, but ??? In any case, that wouldn't seem to explain the issue I'm having. I get a perfectly good response that says my appSecretProof is invalid when I don't specify any version number at all.
The node package for fb should be generating this appSecretProof for me, and it looks like it is doing that. My other info and syntax all seem correct according to the package documentation. What am I missing here? Thank you all so much in advance.
looks like you have required the appsecret_proof for 2 factor authorization in the advance setting in your app.
Access tokens are portable. It's possible to take an access token generated on a client by Facebook's SDK, send it to a server and then make calls from that server on behalf of the client. An access token can also be stolen by malicious software on a person's computer or a man in the middle attack. Then that access token can be used from an entirely different system that's not the client and not your server, generating spam or stealing data.
You can prevent this by adding the appsecret_proof parameter to every API call from a server and enabling the setting to require proof on all calls. This prevents bad guys from making API calls with your access tokens from their servers. If you're using the official PHP SDK, the appsecret_proof parameter is automatically added.
Please refer the below url to generate the valid appsecret_proof,and add it to each api call
https://developers.facebook.com/docs/graph-api/securing-requests
I had to deal with the same issue while working with passport-facebook-token,
I finally released that the problem had nothing to have with the logic of my codebase or the app configuration.
I had this error just because I was adding intentionally an authorization Header to the request. so if you are using postman or some other http client just make sure that the request does not contain any authorization Header.

Categories