search

kreait / firebase-bundle

A Symfony Bundle for the Firebase PHP Admin SDK
https://github.com/kreait/firebase-php
MIT License
135 stars 25 forks source link

Symfony secrets management support #28

Closed reanim8ed closed 3 years ago

reanim8ed commented 3 years ago

The problem

Cant use Firebase provided private key encoded with Symfony's new secret encryption system

Details

I dont like to keep Firebase keys in json file. It would be much better to provide them in configuration file as encrypted env variables encoded with Symfony's secret management system. In config/packages/firebase.yaml instead of credentials value set to json file I tried to provide list of the values directly:

    my_project:
      default: true
      public: true
      credentials:
        type: "service_account"
        project_id: "my_project_id"
        private_key_id: 'my_project_private_key_id'
        private_key: 'my_project_private_key'
        client_email: 'my_project_client_email'
        client_id: 'my_project_client_id'
        auth_uri: "https://accounts.google.com/o/oauth2/auth"
        token_uri: "https://oauth2.googleapis.com/token"
        auth_provider_x509_cert_url: "https://www.googleapis.com/oauth2/v1/certs"
        client_x509_cert_url: 'my_project_cert'

If values are set directly here - it works.

The next step would be to encode these vars ant provide them in bundles yaml file with '%env(MY_VAR)%'. But there is an issue with private_key value. After I tried to send push notification this warning is received: Warning: openssl_sign(): supplied key param cannot be coerced into a private key.

As I understand the issue here is because of newline character \n in this private key. Example: https://i.imgur.com/83eDkL8.png But because it is used in yaml, I cant use str_replace to change them. Is there a way to use this key encoded?

jeromegamez commented 3 years ago

This should be possible by setting the environment variable with the minified output of the JSON file. You can create it, for example, with jq and the following command

$ jq -c . < /path/to/service_account.json

This should remove the need to str_replace things and has the benefit of having to set/encrypt just a single value.

Please let me know if this helps.

reanim8ed commented 3 years ago

Oh, I haven't thought of it. It works great this way. Thank you!