|
| 1 | +<!-- |
| 2 | +SPDX-FileCopyrightText: Copyright (C) 2025 Opal Health Informatics Group at the Research Institute of the McGill University Health Centre <john.kildea@mcgill.ca> |
| 3 | +
|
| 4 | +SPDX-License-Identifier: CC-BY-SA-4.0 |
| 5 | +--> |
| 6 | + |
| 7 | +# Firebase project setup |
| 8 | + |
| 9 | +The user applications [communicate via Firebase](../development/architecture/index.md#communication-between-user-applications-and-the-opal-pie) with the _Opal PIE_. |
| 10 | +You need your own Firebase project so that your app can communicate with the backend components. |
| 11 | + |
| 12 | +!!! note |
| 13 | + |
| 14 | + Firebase is a Google product. |
| 15 | + Therefore, you need a Google account to be able to use Firebase. |
| 16 | + |
| 17 | +## Create a new Firebase project |
| 18 | + |
| 19 | +1. Open the [Firebase Console](https://console.firebase.google.com) |
| 20 | +1. Click on "Create a new Firebase project" |
| 21 | +1. Give it a relevant project name, such as "Opal Local" |
| 22 | +1. Uncheck "Enable Google Analytics for this project" and other options that are proposed to you |
| 23 | +1. Click "Create project" |
| 24 | + |
| 25 | +The "Authentication" and "Realtime Database" features are needed for communication between the apps and backend components. |
| 26 | +Follow the instructions below to enable and configure these features. |
| 27 | + |
| 28 | +## Create a new Realtime Database |
| 29 | + |
| 30 | +1. In the left panel of your newly created Firebase project, expand "Build" and click on "Realtime Database". |
| 31 | +1. Click "Create Database" |
| 32 | +1. On the second step of "Set up database" (Security rules), select "Start in test mode". |
| 33 | + |
| 34 | +!!! note Security rules |
| 35 | + |
| 36 | + This configures your Realtime Database to be accessible to anyone for 30 days. |
| 37 | + It is also possible to restrict access to authenticated users only by specifying the condition as `auth.uid !== null`. |
| 38 | + However, not all features will work. |
| 39 | + The rules in use by the Opal solution can be found in the [listener project](https://github.com/opalmedapps/opal-listener/blob/main/firebase/database.rules.json). |
| 40 | + See the [instructions on how to deploy them](https://github.com/opalmedapps/opal-listener/blob/main/docs/source/firebase-rules.md) to your project or copy-and-paste them into your project's rules. |
| 41 | + |
| 42 | +See also the Firebase documentation on [Firebase Security Rules](https://firebase.google.com/docs/rules). |
| 43 | + |
| 44 | +## Enable email and password authentication |
| 45 | + |
| 46 | +1. In the left panel, expand "Build" and click on "Authentication" |
| 47 | +1. Click on "Get started" |
| 48 | +1. Choose "Email/Password" as the sign-in provider |
| 49 | +1. Enable "Email/Password" and click "Save" |
| 50 | + |
| 51 | +See also the Firebase documentation on [Firebase Authentication](https://firebase.google.com/docs/auth). |
| 52 | + |
| 53 | +## Retrieve the Firebase project configurations |
| 54 | + |
| 55 | +Retrieve the client configuration for browser and Android apps: |
| 56 | + |
| 57 | +### Browser client configuration |
| 58 | + |
| 59 | +1. Click on the settings icon (gear) next to "Project Overview" |
| 60 | + |
| 61 | +1. Click on "Project Settings" |
| 62 | + |
| 63 | +1. In the "General" tab, under "Your Apps", click the "< />" icon |
| 64 | + |
| 65 | +1. Choose an app nickname, such as "Opal Local" |
| 66 | + |
| 67 | + You can also enable "Firebase Hosting" at this time if you are planning to use this project for production or intend to test the password reset feature in the app. |
| 68 | + |
| 69 | +1. Click "Register app" |
| 70 | + |
| 71 | +1. Copy the code and save it somewhere for later |
| 72 | + |
| 73 | +### Mobile app client configuration |
| 74 | + |
| 75 | +1. Go back to the "Project Settings" page |
| 76 | +1. In the "General" tab, under "Your Apps", click the Android icon |
| 77 | +1. Choose an Android package name |
| 78 | +1. Click "Register app" |
| 79 | +1. Download the `google-services.json` file and save it somewhere for later |
| 80 | + |
| 81 | +!!! question "Do I also need to add an iOS app?" |
| 82 | + |
| 83 | + You do not need to add it if you are only building the iOS app. |
| 84 | + The iOS app is reusing the `google-services.json` file during the build. |
| 85 | + |
| 86 | + However, if you intend to use [Firebase App Distribution](https://firebase.google.com/docs/app-distribution) to distribute your mobile app to testers, you will need to register an iOS app as well. |
| 87 | + |
| 88 | + 1. Go back to the "Project Settings" page |
| 89 | + 1. In the "General" tab, under "Your Apps", click the iOS icon |
| 90 | + 1. Provide the Apple bundle ID of your app |
| 91 | + 1. Click "Register app" |
| 92 | + |
| 93 | +### Service account |
| 94 | + |
| 95 | +Retrieve the private key for the admin SDK: |
| 96 | + |
| 97 | +1. Go back to the "Project Settings" page and click on the "Service accounts" tab |
| 98 | +1. Click on "Generate new private key" and then "Generate key" |
| 99 | +1. Download the file somewhere safe on your machine for later |
| 100 | + |
| 101 | +See also the Firebase documentation on [Admin SDK Authentication](https://firebase.google.com/docs/database/admin/start). |
| 102 | + |
| 103 | +## Restrict permissions |
| 104 | + |
| 105 | +During the above set up, Firebase creates a service account and API keys for you. |
| 106 | +By default, these have permissions that are more permissive than what is needed. |
| 107 | +Therefore, we strongly recommend to restrict their permissions, especially for production environments. |
| 108 | + |
| 109 | +### Restrict service account permissions |
| 110 | + |
| 111 | +By default, Firebase creates a service account and API keys. |
| 112 | +The service account likely has more permissions than are needed. |
| 113 | +We recommend to restrict the permissions as much as possible. |
| 114 | + |
| 115 | +Go to the [Service Accounts in Google Cloud](https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts) and select your Firebase project, then: |
| 116 | + |
| 117 | +1. Click on the name of the service account that was created for you |
| 118 | +1. Go to "Permissions" and click on "Manage access" |
| 119 | +1. Update the assigned roles to match the following roles: |
| 120 | + - _Firebase Authentication Admin_ |
| 121 | + - _Firebase Cloud Messaging Admin_ |
| 122 | + - _Firebase Realtime Database Admin_ |
| 123 | + - _Firebase Rules Admin_ |
| 124 | +1. Click "Save" |
| 125 | + |
| 126 | +### Restrict API keys |
| 127 | + |
| 128 | +When registering apps on your Firebase project, Firebase automatically creates API keys. |
| 129 | +These should be further restricted. |
| 130 | + |
| 131 | +!!! question "Can new API keys be created instead?" |
| 132 | + |
| 133 | + This is generally possible. |
| 134 | + However, as part of the set up you will need to get a `google-services.json` file. |
| 135 | + When this file is retrieved, Firebase automatically creates corresponding API keys. |
| 136 | + |
| 137 | +Go to the [API Credentials in Google Cloud](https://console.cloud.google.com/apis/credentials) and select the corresponding Firebase project. |
| 138 | + |
| 139 | +#### Browser key |
| 140 | + |
| 141 | +1. The browser key should have a name like "Browser key (auto created by Firebase)" |
| 142 | + |
| 143 | +1. Click on its name to edit it |
| 144 | + |
| 145 | +1. Under "Application restrictions", choose "Websites" |
| 146 | + |
| 147 | +1. Add the following websites at a minimum to allow mobile app users to access this project |
| 148 | + |
| 149 | + - `app://localhost` |
| 150 | + - `http://localhost` |
| 151 | + - `https://<your-firebase-project-id>.firebaseapp.com` |
| 152 | + |
| 153 | + You should also add the base URL of your registration and web app to this list. |
| 154 | + |
| 155 | +1. Under "API Restrictions", choose "Restrict key" |
| 156 | + |
| 157 | +1. Choose the following APIs |
| 158 | + |
| 159 | + - _FCM Registration API_ |
| 160 | + - _Firebase Realtime Database Management API_ |
| 161 | + - _Identity Toolkit API_ |
| 162 | + |
| 163 | +1. Click "Save" |
| 164 | + |
| 165 | +#### Android key |
| 166 | + |
| 167 | +1. The Android API key should have a name like "Android key (auto created by Firebase)" |
| 168 | +1. Click on its name to edit it |
| 169 | +1. Under "API Restrictions", choose "Restrict key" |
| 170 | +1. Choose the following APIs |
| 171 | + - _FCM Registration API_ |
| 172 | + - _Firebase Realtime Database Management API_ |
| 173 | + - _Identity Toolkit API_ |
| 174 | + - _Firebase Installations API_ |
| 175 | +1. Click "Save" |
| 176 | + |
| 177 | +It is also possible to restrict the key further to a specific Android app. |
| 178 | + |
| 179 | +#### iOS key |
| 180 | + |
| 181 | +The iOS key gets generated when [registering an iOS app](#mobile-app-client-configuration). |
| 182 | +This key, named "iOS key (auto created by Firebase)", is not needed and can be deleted. |
0 commit comments