Hi! I am a completely new developer and I am using Flutterflow with Firebase. And I will be developing an app for a school with 500 students, the app will serve as a way for the parents to change the bus for their kids (300 changes per day). I don’t know if the free plan will cover it or if 1000 users (2 per kid) is a lot and should consider something else. Thanks for all the help!

Having an issue with Firebase AppCheck when running a release.apk . I added app check to my app and it works fine for the app if downloaded from the Play Store or the App Store.

I have added the Sha256 cert which i used to sign release.apk to Play Integrity. But I get 403 when running the app installed through the release.apk . This also happens when running my app downloaded from the Galaxy Store

Hi :D I've never used firebase before so I'm a little lost. When i go to firebase - storage i get this message:
Your data location has been set in a region that does not support no-cost Storage buckets. Create or import a Cloud Storage bucket to get started.Get started
But then when i click on get started and go through the 2 forms no matter what i enter i get this error:

https://preview.redd.it/y76gl9tb0xge1.png?width=1381&format=png&auto=webp&s=711e46e808227afb5603a61f3e1b51463a4e339f

Anyone know how i can fix that?

I have a dev, staging, and prod setup for my project. For some reason, without any known code or env changes, and with dev/staging still working as expected, prod will now always fail with

i  hosting[PROJECT_NAME]: finalizing version...

Error: Request to https://firebasehosting.googleapis.com/v1beta1/projects/-/sites/PROJECT_NAME/versions/b08f11f380e?updateMask=status%2Cconfig had HTTP Error: 404, Requested entity was not found.

update: this randomly fixed itself. Unnerving but I'll take it...

I setup a few onCall functions with the firebase.json "rewrites": [

    {
      "source": "/ON_CALL_FUNCTION",
      "function": "ON_CALL_FUNCTION"
    },

Most of the time, the function will work properly from firebase. But randomly, I get these cors issues:

    Access to fetch at 'https://us-central1-PROJECT_NAME.cloudfunctions.net/ON_CALL_FUNCTION' from origin 'HOSTING_URL' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Has anyone else noticed this? If I need to make them http callable, I will, but I don't get why it randomly breaks so often? can it either work or not work?

edit: Fixed it. The cloud run security authentication was set to "Require authentication" (the default, which I mistook to mean no guests) when it should be "Allow unauthenticated invocations"

So I'm getting this error when I attempt to create an account for a site I'm making. My rules are:

rules_version = '2';

service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}}}

If I change it to "if true;" the signup feature works and is added to the database. Here's some of my code:

Signup code

https://www.tapdance.dev

I've been working on my first game/experiment. It lets you casually jam with other users by placing picking an instrument circles on a gird. You don't really need any musical expertise to play it. It uses firestore, storage, and functions. Would love to hear some honest feedback

https://preview.redd.it/0mph2nqihsge1.png?width=2500&format=png&auto=webp&s=49105cb04af3e66b441da6274f3d5fc003d9041d

I created a website builder - myDomain.com where a User can select a template and the website is then hosted on:

usersProjectName.myDomain.com

Now I want to implement a feature where a User can connect his domain usersProjectName.con via CNAME to usersProjectName.myDomain.com.

In theory, this would be easy - I could add his domain in App Hosting.

But since I want to do this automatically and want a scaleable option - when the feature is triggered, is there a way to call a cloud function or whatever, to create a valid certificate for this connected domain and make it accessible to my origin url?

Can anyone help me to understand what was the cause that lead to this violation? I have a small project for student to practice the quizzes and review lesson. Not sure why it has been flagged as "phishing" as it doesn't have more than 2 pages/urls.

Screenshot of Google appeal's page

I have a problem protecting sensitive info of appointments (Firestore)
I thought of creating a second collection called publicAppointments in which I could put some general info of appointment such as start/end time etc and then the sensitive info (who booked etc) in a collection appointments which is accessible only from the user who booked and the employee. The problem that I have is that if an appointment is created it always should create a publicAppointment too . I am thinking some conditions in which a malicious user could possibly create appointemnts without publicAppointments which may create a huge problem to the app.
How should I handle that ? Thank you

I've been struggling to find a solid working example of Firebase Authentication in a next.js project that supports:

• Client-side authentication (handling login, user state, etc.)
• Server-side rendering (fetching user data securely, protecting routes, etc.)

I've tried reading countless tutorials, docs, and even experimenting with service workers and cookies, but I still can't find a clear, working implementation that is simple and effective. In all solutions something was not working, mostly auth state was not synced properly on client and server sides. What I need is:

• A basic Next.js + Firebase Auth sample project that does both client & server-side authentication.
• Some best practices for protecting layouts in Next.js App Router (e.g., how to wrap protected pages properly) or use middleware or something else.
• How to verify Firebase tokens on the server (middleware or API routes?) while still keeping things fast and efficient.

I’m done searching tutorials, most are either outdated, incomplete, or just don’t cover both client & server authentication properly. The Firebase docs are especially bad at explaining this. I've gone through many articles in the thread. I know this has been asked many times, but I still find myself struggling. Thanks

I am having and issue with Appcheck. I have released and app that uses appcheck and everything was working perfectly. Now, with and update, i have added a secondary database, and everything works perfectly, the issue Is that of i turn on appcheck, i am able to read the default database, but if gives permission Denied on the second One. I am sure It Is appcheck and not the rules because i have set them to true Always for test purposes, and if i disabile appcheck It works. Isn't appcheck supported for multiple database? Is something more steps required? I cannot find anything documented on firebase

Does anyone have experience with migrating authenticated users and firestore data to another project within the same Firebase account?

When my users verify their email, the link sent to them is a firebase domain. What’s the easiest way to change that to my own domain without having to host a server to handle it?

i have hosted my website using custom domain but even after i already disabled and deleted the website in firebase it is still showing this. I now is trying separate hosting for my website, i want this removed. How to remove this ?

https://preview.redd.it/tgpgcqqv6age1.png?width=826&format=png&auto=webp&s=cfac768c6c151b618cd3611ae1b10ae9d48d78d5

Context (not relevant to the main subject, you may skip):

I'm using Firestore emulators and as you may know, they don't support indexes. The main problem I have with this is that I won't know if my queries will throw a missing index error once pushed to a live Firestore instance. Right now, I setup a "dev" project just to test queries and have them throw errors, but I could be accidentally missing some. The alternative would just to use the dev project even locally, but then what's the point of having emulators?? All-in-all, it's just a bad experience of always having that thought of "gotta remember to test this query on a live instance to see if I need an index!".

Main subject:

I'd like to be able to know in advance when I'll need a Firestore index so that I can add it to firestore.indexes.json without needing to wait for an error to give me the link, just using my brain 🧠! Reading this documentation and based on the ones that were created for me, I think I got the gist of it, but I wanted to share my chain of thought to see if I got it right (and maybe help others get it too).

Here's what I came up with:

Let me know if I got it right, wrong or if it could be expanded further! (maybe some more steps to determine the order?)

Side note: I noticed I never get a link for missing indexes on collection group queries. This happens on two projects I use Firebase Admin with, is it just me or should I open an issue regarding this?

It's my first time making an app and I'm unsure of what security features are handled automatically by firebase and which I need to implement myself. Every time a user accesses a certain page, I read from the firestore database. I have some caching in place in the front end to limit the number of calls, but this involves using AsyncStorage which afaik can be manually modified by a jailbroken device etc. Could this be exploited to issue infinite read calls to my database? Eg by constantly wiping cache and navigating back to the page? Is this a legitimate concern, and how do I go about preventing it?

Hello! I am working on a website for a client that uses firestore, auth, hosting and functions. I originally was going to redo this for every client, but with all the apis and configurations, it can be a headache to replicate each time.

Is there a way for me to have multiple DIFFERENT website use the same firebase project? I was thinking having different dbs or just have one large db and separate at the root for each website, then maybe add a rule for each authenticated user on what they can and can’t access.

Can someone let me know on any problems with my approach and what i can do to work this out? I’m new-ish to firebase but i haven’t gone too crazy besides simple one site projects.

I need to have language-independent data model definitions and will be using google's protobuf as model definition language. However, protobuf doesn't support custom scalar types with individual implementations so no firestore-native types.

Instead of Timestamps, I want to save dates as unix-style int's. Is there any disadvantage to that besides readability in firestore? Any kind of range, orderBy etc. queries would be just as good with integers, correct? The only thing I can think of is the serverTimestamp field value that prevents client-side time manipulation, however I have the ntp package in flutter for that.

I fell in love with firebase because of how easy it is to set up and it's potential to reach near-infinite scale (if you ignore cost) but it is slowly dawning on me that maybe it is not that great for really high-quality well-tested entreprise-grade apps. In particular, I've found it incredibly difficult to set up a great testing environment for cloud functions.

As I see it, a good testing set up would connect to the emulator and test each cloud function in 3 different ways;

1. using the httpsCallable function to simulate client-side requests to the cloud function
2. calling the cloud function using the test.wrap method
3. calling granular logic within a cloud function

I am using jest and the part that is tripping me up is that there seems to be some subtle differences in the implementation to enable admin.firestore() functionality. In particular, case 1) would require auth functionality and simply calling signInWithEmailAndPassword doesn't seem to work for me.

I hope I'm wrong, but even if I am, the complete lack of documentation would be enough for me to encourage other devs to not go down this rabbit-hole.

Best-case scenario would be a github repo that I can fork/review. I've reviewed the Google example repos in-depth which seem quite complex and don't cover all 3 scenarios.

My best effort can be found here https://github.com/robMolloy/firebase-be-playground

Thanks in advance to anyone that can help!

https://preview.redd.it/jne7k2kri5ge1.png?width=3164&format=png&auto=webp&s=3250a2034d8c05ffe492fdb486696a7a33e1375d

Hello guys, I have a flutter project that I used firebase for its database, authentication and hosting, it used to work for almost a month or two, but now whenever I deploy a new version I get this screen,
I have tried to use another firebase project, clearing the cache and nothing worked.

{   "database": {     "rules": "database.rules.json"   },   "hosting": {     "public": "build/web",     "ignore": [       "firebase.json",       "**/.*",       "**/node_modules/**"     ],     "rewrites": [       {         "source": "**",         "destination": "/index.html"       }     ]   } }  

this is the firebase.json file

I think I have tried everything and got nothig, did anyone face this problem before

I am building a mobile app with only firebase as backend, I use firestore, auth, storage and cloud functions. As I have IAP in my app I'm also using revenueCat. I wanted to limit doc creation based on the purchases but I've been having a hard time creating the logic as firebase uses public api. This made me question the security for my app. I do have rules based on my logic but now I am thinking about whether it is enough. I asked around and I've been told it's important to implement ssl pinning in apps but as far as I've researched, Firebase App Check does something similar so I've been thinking whether I should implement it.

My app is a rather simple app in which you can share files with other people; it doesn't handle sensitive data. My priority is to publish the app and improve it when it's published before I start promoting it. So I want to ask about how far I should go with my security with a small app in the beginning. I know there are trade offs and I should be the one deciding but I wanted to hear your experiences before I make a decision.

Im buillding a full stack node application using express, mongodb, and firebase. I have created a firebase project, in firebase console I have also enabled 'email and password' and 'Google' auth providers, which has created a new google cloud project automatically. For now, I have only created backend, not a frontend yet. I am using 'firebase-admin' in the backend only to verify the id tokens. Till now, I was using identitytoolkit to sign in with password and get access token and refersh tokens (link: https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[firebase API Key]). Btw, I am using postman. Now, i want to get refresh and access token using google OAuth, which I am getting using OAuth 2.0 Authorization available in Postman, they are working fine too, as i made API to fetch their email and personal info directly with Google Cloud REST API (Link: https://openidconnect.googleapis.com/v1/userinfo). But, its not creating a user in my firebase console. I tried using the credentials (client Id and client secret) from both the OAuth 2.0 Client IDs - one which was automatically created(Web client (auto created by Google Service)) and other one which i created manually)

Also, I observed that, when Browser opens upon clicking 'Get New Access Token' button in OAuth 2.0 in Authorization in postman request, it says "Choose an account to continue to oauth.pstmn.io". But, upon successful login/sign-up, the application name does show up in my Google Accounts > Data and Privacy > "Third Party Apps and Services".

Am I missing something here or what it is? Is what I am doing not possible at all? Is it any different in frontend??

Hi everyone!

I'm having trouble getting Firebase App Check to work in my app, specifically when using the Play Integrity provider in production. Here's a breakdown of my setup and the issue I'm encountering:

Setup Details

• Two Firebase Projects:
  • Primary Project: Initialized automatically using the google-service.json file. Used for:
    • Remote Config
    • Crashlytics
    • Test Lab
  • Secondary Project: Manually initialized for:
    • Firestore
    • Authentication
    • Storage
    • Functions
    • App Check

Code

All the APIs defined in the second project work except for App Check. This means that I have no issue at getting data from Firestore or media from Storage. Here's the Kotlin code I use to manage the secondary Firebase project and set up App Check:

object FirebaseManager {
  private const val SECONDARY_APP_NAME = "secondary"
  private val lock = Any()
  private var secondaryApp: FirebaseApp? = null

  fun initializeSecondaryProject(context: Context) {
    ensureSecondaryApp(context)
  }

  fun getFirestore(context: Context): FirebaseFirestore {
    return FirebaseFirestore.getInstance(getSecondaryApp(context))
  }

  fun clearCache(context: Context) {
    FirebaseFirestore.getInstance(getSecondaryApp(context)).clearPersistence()
  }

  fun getAuth(context: Context): FirebaseAuth {
    return FirebaseAuth.getInstance(getSecondaryApp(context))
  }

  fun getFunctions(context: Context): FirebaseFunctions {
    return FirebaseFunctions.getInstance(getSecondaryApp(context))
  }

  fun getStorage(context: Context): FirebaseStorage {
    return FirebaseStorage.getInstance(getSecondaryApp(context))
  }

  private fun getSecondaryApp(context: Context): FirebaseApp {
    return secondaryApp ?: synchronized(lock) {
      secondaryApp ?: ensureSecondaryApp(context)
    }
  }

  private fun ensureSecondaryApp(context: Context): FirebaseApp {
    return secondaryApp ?: run {
      FirebaseApp.getApps(context)
        .firstOrNull { it.name == SECONDARY_APP_NAME }
        ?.also { secondaryApp = it }
        ?: createNewSecondaryApp(context)
    }
  }

  private fun createNewSecondaryApp(context: Context): FirebaseApp {
    val options = FirebaseOptions.Builder()
      .setProjectId("project_id")
      .setApplicationId("application_id")
      .setApiKey("api_key")
      .setStorageBucket("bucket_link")
      .build()

    return Firebase.initialize(context, options, SECONDARY_APP_NAME).also {
      secondaryApp = it
      setupAppCheck(it)
    }
  }

  private fun setupAppCheck(app: FirebaseApp) {
    val appCheck = Firebase.appCheck(app)

    appCheck.apply {
      installAppCheckProviderFactory(
        if (BuildConfig.DEBUG) DebugAppCheckProviderFactory.getInstance()
        else PlayIntegrityAppCheckProviderFactory.getInstance()
      )
      setTokenAutoRefreshEnabled(true)
    }

    appCheck
      .getAppCheckToken(false)
      .addOnSuccessListener { token ->
        Timber.d("APP_CHECK", "Token: ${token.token}")
        Amplitude.getInstance().logEvent("app_check_success")
      }
      .addOnFailureListener { e ->
        Timber.e("APP_CHECK", "Token failure", e)
        Amplitude.getInstance().sendEvent(
          nameOfEvent = "app_check_failure",
          properties = mapOf(
            "error_message" to e.message,
            "error_exception" to e.toString(),
            "error_cause" to e.cause?.toString(),
            "error_stacktrace" to e.stackTraceToString(),
            "error_localized_message" to e.localizedMessage
          )
        )
      }
  }
}

Initialization Call:

FirebaseManager.initializeSecondaryProject(context)

This is called first thing inside the Application class.

Issue Details

• In Debug Mode:
  • Using DebugAppCheckProviderFactory, everything works fine.
  • Verified requests are shown as “Verified requests” in Firebase.
• In Production:

  • Using PlayIntegrityAppCheckProviderFactory, App Check fails.

  • Error Logged:

    error_cause: null
    error_exception: java.lang.NumberFormatException
    error_localized_message: null
    error_message: null
    error_stacktrace: java.lang.NumberFormatException
    

What I've Done So Far

1. Play Integrity API:
   • Linked correctly to the Google Cloud project of my second Firebase Project.
2. SHA-256 Certificate:
   • Copied the SHA-256 fingerprint from the App signing key certificate to the Apps tab in Firebase App Check.
3. Google Play Store:
   • Of course the app is distributed via Play Store.
4. Logging:
   • Integrated Amplitude for better insights.
   • Successfully see “app_check_success” events in debug, but only the NumberFormatException in production.

Conclusion

I'm not sure why I cannot make App Check work. Seems like I have an issue with my attestation provider. Has anyone ended up with a similar issue or can provide guidance on what might be going wrong?

Any insights or suggestions would be greatly appreciated!

Hello! So on our platform, the app (written in Flutter) can receive push notifications from the server. SInce we work with a reminder system, we send several notifications with the same collapse ID to the user app. However, we have noticed that, while in Android sending these notifications always trigger the FirebaseMessaging.onMessage listener (while the app is in the foreground), on iOS only the first notification triggers the listener, and following push notifications do not trigger it.

Is this expected behaviour? Can Firebase fix this or is this an Apple issue? Thanks for your help!

I'm trying to add a Apple login using Firebase on my react project. I created my Apple Developer account and following this documentation:
https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/

I'm met in an error when trying to follow the first link. Do I need to enroll with their membership to allow the sign in method? Thanks in advance

i'm getting this error on emulator:start

functions: Failed to load function definition from source: FetchError: request to  
http://127.0.0.1:8906/__/functions.yaml
  failed, reason: socket hang uP

I have been banging my head for the last 7 hours any idea on whats happening my firebase-debug log :

debug] [2025-01-30T05:03:37.690Z] Failed to call quitquitquit. This often means the server failed to start request to http://localhost:8566/__/quitquitquit failed, reason:  {"message":"request to http://localhost:8566/__/quitquitquit failed, reason: ","type":"system","errno":"ECONNREFUSED","code":"ECONNREFUSED"} [error] ⬢  functions: Failed to load function definition from source: FetchError: request to http://127.0.0.1:8566/__/functions.yaml failed, reason: socket hang up {"metadata":{"emulator":{"name":"functions"},"message":"Failed to load function definition from source: FetchError: request to http://127.0.0.1:8566/__/functions.yaml failed, reason: socket hang up"}}  

any help would be appierciated

it was working fine until i was upgraing it to use defineSecretes instead of using functions.config

I was adding google Oauth using node and react in my website , it worked fine but suddenly started giving the error cross-origin-opener-policy policy would block the window.closed call

Added the recommended headers in main index file but still problem persists

Please suggest some ways to fix it