2

I am working on a mobile project that is built on ionic and uses Firebase for auth, database, storage, etc. A few days ago, I applied restriction to the Firebase api keys on Google Cloud Console by setting up HTTP referrer for iOS/Android/Web api keys. Problem is - both iOS and android builds are having issue with Firebase api calls (web app still works normally), throwing the following error:

[ Requests from referer <empty> are blocked. ]" !! smsLogin ERROR"Error Domain=FIRAuthErrorDomain Code=17999 "An internal error has occurred, print and inspect the error details for more information." UserInfo={FIRAuthErrorUserInfoNameKey=ERROR_INTERNAL_ERROR, NSLocalizedDescription=An internal error has occurred, print and inspect the error details for more information., NSUnderlyingError=0x282938ff0 {Error Domain=FIRAuthInternalErrorDomain Code=3 "(null)" UserInfo={FIRAuthErrorUserInfoDeserializedResponseKey={\n code = 403;\n details = (\n {\n "@type" = "type.googleapis.com/google.rpc.ErrorInfo";\n domain = "googleapis.com";\n metadata = {\n consumer = "projects/770668602613";\n service = "identitytoolkit.googleapis.com";\n };\n reason = "API_KEY_HTTP_REFERRER_BLOCKED";\n }\n );\n errors = (\n {\n domain = global;\n message = "Requests from referer are blocked.";\n reason = forbidden;\n }\n );\n message = "Requests from referer are blocked.";\n status = "PERMISSION_DENIED";\n}}}}"

What does the referrer <empty> mean here?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Thunderbolt Engineer
  • 1,524
  • 7
  • 12

2 Answers2

1

This error message means that the HTTP "Referer" header field is either completely missing or having a blank value in the HTTP request being sent to underlying Firebase or any other Google Cloud API. HTTP Referer header field allows identification of the web URL (page) that is requesting access to a resource (such as an API). This identification enables implementation of API Key Restriction control using HTTP Referrers as described here.

Since you have mentioned in the problem statement that only iOS and android builds are having issues with Firebase api calls but the web app is still working normally, it looks like the issue is that the HTTP "Referer" Header (optional) field is not being set in your Android & iOS apps.

For web applications using browsers, HTTP "Referer" field is set automatically by the browser which is why the web app did not exhibit this issue in the first place. A similar issue is nicely answered & described on this other StackOverflow question.

Akshansha Singhal
  • 844
  • 2
  • 9
0

If you are using signInFlow: "popup" or otherwise having firebase auth popup in it's own browser window - and you have not set up a custom domain with firebase hosting, you need to add your firebase URL under website restrictions like: https://<your-app-12345>.firebaseapp.com/.

This is because the browser sets the referer header from the popup window where the domain is your firebase URL and not your actual website URL.

gh123man
  • 1,372
  • 1
  • 14
  • 24