Skip to content

docs: add details for Firebase projects when deploying #389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mschoettle merged 10 commits into from
Dec 16, 2025
Merged

docs: add details for Firebase projects when deploying #389

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
3e50566
docs: add details for Firebase projects when deploying
mschoettle Dec 1, 2025
97663ec
more details
mschoettle Dec 2, 2025
d18c68b
add missing dependency
mschoettle Dec 2, 2025
6b6fb6b
disable it again
mschoettle Dec 2, 2025
5bba0f9
add legacy argument
mschoettle Dec 2, 2025
4d04e53
improve docs
mschoettle Dec 3, 2025
7d6c60c
update instructions for service account
mschoettle Dec 3, 2025
5859713
Merge remote-tracking branch 'origin/main' into add-deployment-info
mschoettle Dec 15, 2025
ee18d5e
improvements
mschoettle Dec 15, 2025
0830731
remove redundant first step
mschoettle Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,17 @@ repos:
- id: check-renovate
args: ["--verbose"]
additional_dependencies: ['json5']
# requires: https://github.com/python-jsonschema/check-jsonschema/issues/341
# - id: check-jsonschema
# name: "Validate devcontainer"
# files: ^\.devcontainer/.*\.json$
# args: ["--schemafile", "https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.schema.json"]
# additional_dependencies: ['json5']
# args: [
# "--schemafile",
# "https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.schema.json",
# "--force-filetype",
# "json5",
# "--verbose",
# ]
# waiting for custom YAML tags support: https://github.com/python-jsonschema/check-jsonschema/issues/489
# - id: check-jsonschema
# name: "Validate MkDocs file"
Expand Down
37 changes: 34 additions & 3 deletions docs/development/local-dev-setup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,9 @@ You need your own Firebase project so that your local app can communicate with t
#### Create a new Firebase project

1. Open the [Firebase Console](https://console.firebase.google.com)
1. Click on "+ Add project"
1. Click on "Create a new Firebase project"
1. Give it a relevant project name, such as "Opal Local"
1. Uncheck "Enable Google Analytics for this project"
1. Uncheck "Enable Google Analytics for this project" and other options that are proposed to you
1. Click "Create project"

The "Authentication" and "Realtime Database" features are needed for communication between the apps and backend components.
Expand Down Expand Up @@ -89,15 +89,46 @@ See also the Firebase documentation on [Firebase Authentication](https://firebas

#### Retrieve the Firebase project configurations

Retrieve the client configuration:
Retrieve the client configuration for browser and Android apps:

##### Browser client configuration

1. Click on the settings icon (gear) next to "Project Overview"

1. Click on "Project Settings"

1. In the "General" tab, under "Your Apps", click the "\</>" icon

1. Choose an app nickname, such as "Opal Local"

You can also enable "Firebase Hosting" at this time if you are planning to use this project for production or intend to test the password reset feature in the app.

1. Click "Register app"

1. Copy the code and save it somewhere for later

##### Mobile app client configuration

1. Go back to the "Project Settings" page
1. In the "General" tab, under "Your Apps", click the Android icon
1. Choose an Android package name
1. Click "Register app"
1. Download the `google-services.json` file and save it somewhere for later

!!! question "Do I also need to add an iOS app?"

You do not need to add it if you are only building the iOS app.
The iOS app is reusing the `google-services.json` file during the build.

However, if you intend to use [Firebase App Distribution](https://firebase.google.com/docs/app-distribution) to distribute your mobile app to testers, you will need to register an iOS app as well.

1. Go back to the "Project Settings" page
1. In the "General" tab, under "Your Apps", click the iOS icon
1. Provide the Apple bundle ID of your app
1. Click "Register app"

##### Service account

Retrieve the private key for the admin SDK:

1. Go back to the "Project Settings" page and click on the "Service accounts" tab
Expand Down
145 changes: 145 additions & 0 deletions docs/install/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,90 @@ The database server can also be run on a separate server:

Relationships between components on the same host are left out for brevity (except those making use of third-party components).

### Requirements

You need at least one machine on which to deploy the Opal PIE.
This machine needs to have the [Docker Engine](https://docs.docker.com/engine/) and [Docker Compose](https://docs.docker.com/compose/) installed.
A compatible container engine that also has support for compose can also be used.

In addition, you need a Firebase project.

#### Create and set up a new Firebase project

If you don't have a dedicated Firebase project yet, follow the steps to [create a Firebase project](../development/local-dev-setup.md#create-a-new-firebase-project).
If you already have a dedicated Firebase project, ensure that you have done the following steps:

- [create a Realtime Database](../development/local-dev-setup.md#create-a-new-realtime-database)
- [enable email and password authentication](../development/local-dev-setup.md#enable-email-and-password-authentication)
- [retrieve Firebase configurations](../development/local-dev-setup.md#retrieve-the-firebase-project-configurations)

#### Restrict service account permissions

By default, Firebase creates a service account and API keys.
The service account likely has more permissions than are needed.
We recommend to restrict the permissions as much as possible.

Go to the [Service Accounts in Google Cloud](https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts) and select your Firebase project, then:

1. Click on the name of the service account that was created for you
1. Go to "Permissions" and click on "Manage access"
1. Update the assigned roles to match the following roles:
- *Firebase Authentication Admin*
- *Firebase Cloud Messaging Admin*
- *Firebase Realtime Database Admin*
- *Firebase Rules Admin*
1. Click "Save"

#### Retrieve the Apple Push Notification certificates

!!! note

These instructions are specific to *macOS* as they require the *Keychain Access* utility.

While push notifications on Android are delivered via *Firebase Cloud Messaging*, on iOS the *Apple Push Notification Service* is used.

The following instructions assume that your iOS app has already been created in [App Store Connect](https://appstoreconnect.apple.com/apps) and therefore has an *App ID*.

!!! success "Preparation: Generate a *Certificate Signing Request*"

As a preparation, follow the instructions to [create a certificate signing request](https://developer.apple.com/help/account/certificates/create-a-certificate-signing-request).

Log in to your [Apple Developer Account](https://developer.apple.com/account) and do the following:

1. Under "Program resources" > "Certificates, IDs & Profiles", click "Certificates"
1. Click the plus icon next to "Certificates"
1. Under "Services", select "Apple Push Notification service SSL (Sandbox & Production)" and click "Continue"
1. Select the App ID of your app and click "Continue"
1. Upload your certificate signing request and click "Continue"
1. Download your certificate

You now have a `.cer` file which needs to be imported to the keychain so it can be exported as a PKCS #12 archive:

1. Double-click the `.cer` file to add it to your keychain
1. In *Keychain Access*, select the "login" keychain and look for the "Apple Push Services: `<appID>`" certificate
1. Expand this certificate to reveal the private key entry
1. Select both certificate and private key
1. Right-click and select "Export 2 items..."
1. Save the `.p12` file somewhere
- Leave the password empty
- Confirm the export with your password and selecting "Allow"

The `Certificates.p12` file contains both the certificate and private key.
To separate them, run the following using the OpenSSL `pkcs12` command:

```console
# export certificate
openssl pkcs12 -in Certificates.p12 -clcerts -nokeys -legacy -out apn.crt
# export private key
openssl pkcs12 -in Certificates.p12 -nodes -nocerts -legacy -out apn.key
```

!!! note "Note on OpenSSL version"

The above commands assume that you are using OpenSSL v3 which requires the `-legacy` flag.
This is because older algorithms like the one used by keychain when exporting the certificates are disabled by default.
If you are using OpenSSL v1.1, remove the `-legacy` flag from the commands.

### Automated deployment

We offer a semi-automated deployment via a [`copier`](https://copier.readthedocs.io/en/stable/) template.
Expand All @@ -52,3 +136,64 @@ Please follow the instructions in the [`deploy-pie`](https://github.com/opalmeda

```plantuml source="docs/install/diagrams/deployment_diagram_user.puml"
```

### Requirements

#### Restrict Firebase API keys

We assume that you already [set up your Firebase project](#create-and-set-up-a-new-firebase-project) and [retrieved Firebase client configurations](../development/local-dev-setup.md#retrieve-the-firebase-project-configurations).
This means that API keys were already created for you.
By default, Firebase creates a service account and API keys with excessive permissions.

!!! question "Can new API keys be created instead?"

This is generally possible.
However, as part of the set up you will need to get a `google-services.json` file.
When this file is retrieved, Firebase automatically creates corresponding API keys.

Go to the [API Credentials in Google Cloud](https://console.cloud.google.com/apis/credentials) and select the corresponding Firebase project.

##### Browser key

1. The browser key should have a name like "Browser key (auto created by Firebase)"

1. Click on its name to edit it

1. Under "Application restrictions", choose "Websites"

1. Add the following websites at a minimum to allow mobile app users to access this project

- `app://localhost`
- `http://localhost`
- `https://<your-firebase-project-id>.firebaseapp.com`

You should also add the base URL of your registration and web app to this list.

1. Under "API Restrictions", choose "Restrict key"

1. Choose the following APIs

- *FCM Registration API*
- *Firebase Realtime Database Management API*
- *Identity Toolkit API*

1. Click "Save"

##### Android key

1. The Android API key should have a name like "Android key (auto created by Firebase)"
1. Click on its name to edit it
1. Under "API Restrictions", choose "Restrict key"
1. Choose the following APIs
- *FCM Registration API*
- *Firebase Realtime Database Management API*
- *Identity Toolkit API*
- *Firebase Installations API*
1. Click "Save"

It is also possible to restrict the key further to a specific Android app.

##### iOS key

The iOS key gets generated when [registering an iOS app](../development/local-dev-setup.md#mobile-app-client-configuration).
This key, named "iOS key (auto created by Firebase)", is not needed and can be deleted.