0

I am struggling to set up my SHA-1 key correctly and restrict the api key on android.

I have followed the steps to set up app-check using the SHA-256 key which works fine.

I have then added my SHA-1 key to my andriod api key on the GCP credentials page and added the relevant restrictions. I have also added it to the SDK setup and configuration on the firebase console.

If i add the api restrictions it works. The minute I add application restrictions (using my package name and SHA-1 key) it throws the following error despite the user being logged in (again without the application restriction this works fine)

User is not authenticated, please authenticate using Firebase Authentication and try again.

I generated my key using the steps in this link: Generate SHA-1 for Flutter/React-Native/Android-Native app

  1. Am i doing anything wrong? The app-check sha-256 works so why does the sha-1 key not?
  2. What is the difference between adding the SHA-1 key on the firebase SDK setup and configuration vs the credentials section on the GCP console
  3. Are applying the restrictions to the key actually required if using app check?
tripleee
  • 175,061
  • 34
  • 275
  • 318
ebg11
  • 906
  • 1
  • 12
  • 33

1 Answers1

1

There are two modes for applications: Debug mode and Production mode.

Usually, apps we test on emulators or in our mobile phones are debugged so we need SHA-1 for debug mode. If you use Generated Signed Apk then we need SHA-1 for production mode.

When we use firebase, you have to add the SHA-1 and SHA-256 to the firebase setting page. Then firebase automatically adjusts settings in GCP.

You can create credentials manually or firebase creates for you. I prefer the firebase way. So there is no difference.

So why we need SHA-1 or SHA-256 or restrictions?

Suppose someone copies your API key from your computer and adds it to their application. Now the cost for using the services will be added to your bill. It happened to a lot of people already. Just hiding the API key can be dangerous.

Another example, suppose you are the owner of your company. You hire someone and you give them an API key for testing or development purposes. Now if the developer sells the API key for 1 day (he can make ~1000$) to a medium-sized company. Then the cost will be added to your bill.

So we need some lock inside the server, So what we do is android studio creates a project and has a unique SHA credential. Then these are checked by the server and if they match then they allow them to use the API. So for your security, you can add the restrictions. I got a bill of 54000 INR from Amazon AWS due to the same mistake. But they adjusted because I requested them via mail.

Also, you can remove all restrictions and in this way, there will be no auth error (100% sure).

Example of API key - 12kmcasdi23n2jn3r2j423jn1o23mk3-934nof Example cost - $10/1000requests

Vijay
  • 1,163
  • 8
  • 22
  • I know what they are I am just not sure why it is not working with firebase app check https://firebase.google.com/docs/app-check I am using a real device and a self signed sha1 and sha256 key from my own pc. It fails when i restrict the api key using the sha1 key i generated on the GCP credentials setting. – ebg11 Jun 14 '21 at 20:06
  • this is the page i am making the chabges on : https://console.cloud.google.com/apis/credentials – ebg11 Jun 14 '21 at 20:07
  • Remember to configure the OAuth consent screen with information about your application. Go to the same page in your second comment. See this is not a complex thing. Just find the problem. There is a problem from your side. It happens with me also, Sometimes I think there is a bug in android studio but after researching I find out that android studio is woking fine. And GCP is a powerful platform. Just check the documentations. – Vijay Jun 15 '21 at 09:03
  • could you explain what the oauth consent screen is and why its related to this – ebg11 Jun 15 '21 at 16:25
  • OAuth is the place where we choose the type of restriction and security. You will easily find it below the credentials tab. Just open it and read the steps, it is easy to understand the setup. That's All I can do for you. – Vijay Jun 16 '21 at 05:08