App check unwanted enforcement on Firebase callable functions

firebase flutter google-cloud-functions firebase-app-check
183

Solution 1

I had the same experience. The docs say that you are supposed to check like this[1]:

  if (context.app == undefined) {
    throw new functions.https.HttpsError(
        'failed-precondition',
        'The function must be called from an App Check verified app.')
  }

But, this is not the case in my experience, the App Check starts to be enforced immediately the moment you add App Check to your app.

EDIT:

moreover, even without doing any check in my code, I can see this in the logs whenever I call one of my functions:

Callable request verification passed {"verifications":{"auth":"VALID","app":"VALID"}}

So it seems App Check happens automatically, at least in Callable Functions. If you want to bypass AppCheck in one of your functions, you might want to try an HTTP function instead (not Callable).

[1] Source https://firebase.google.com/docs/app-check/cloud-functions

Solution 2

From protocol specification for https.onCall:

Optional [Header]: X-Firebase-AppCheck: The Firebase App Check token provided by the client app making the request. The backend automatically verifies this token and decodes it, injecting the appId in the handler's context. If the token cannot be verified, the request is rejected. (Available for SDK >=3.14.0)

My guess is that calls to your callable function contains an invalid App Check token.

If you haven't configured DeviceCheck or/and App Attest attestation providers on your project but have included the App Check library on your client, your client code may be including a dummy App Check token when calling your function (full details on this github issue).

Firebase team is working through changes to make the experience less confusing. Please follow along in http://github.com/firebase/firebase-functions/issues/967 and https://github.com/FirebaseExtended/flutterfire/issues/6794 for status.

Share:
183
thamey
Author by

thamey

Updated on December 02, 2022

Comments

  • thamey
    thamey over 1 year

    Without having changed anything in my Firebase callable functions code, but having re-deployed them, now they suddenly start rejecting all function invocations from my app with the error shown below. I would like NOT to use App Check until I am ready to make the changes needed. How do I stop my callable (https.onCall) Firebase functions from rejecting invalid App Checks, and instead only reject invalid Authentication?

    Failed to validate AppCheck token. FirebaseAppCheckError: Decoding App Check token failed. Make sure you passed the entire string JWT which represents the Firebase App Check token.
    at FirebaseAppCheckError.FirebaseError [as constructor] (/workspace/node_modules/firebase-admin/lib/utils/error.js:44:28)
    at FirebaseAppCheckError.PrefixedFirebaseError [as constructor] (/workspace/node_modules/firebase-admin/lib/utils/error.js:90:28)
    at new FirebaseAppCheckError (/workspace/node_modules/firebase-admin/lib/app-check/app-check-api-client-internal.js:187:28)
    at /workspace/node_modules/firebase-admin/lib/app-check/token-verifier.js:82:19
    at processTicksAndRejections (internal/process/task_queues.js:97:5) {
  errorInfo: {
    code: 'app-check/invalid-argument',
    message: 'Decoding App Check token failed. Make sure you passed the entire string JWT which represents the Firebase App Check token.'
  },
  codePrefix: 'app-check'
} 

Callable request verification failed: AppCheck token was rejected. {"verifications":{"app":"INVALID","auth":"VALID"}}

    The code rejecting all requests due to invalid App Check is super simple:

    const functions = require("firebase-functions");
const admin = require("firebase-admin");
admin.initializeApp();
exports.example = functions.https.onCall((data, context) => {
  return "test";
}

    Package.json:

    "engines": {
    "node": "12"
},
"main": "index.js",
"dependencies": {
  "firebase-admin": "^9.10.0",
  "firebase-functions": "^3.14.1"
},
  • thamey
    thamey over 2 years
    Yes this was also exactly what I noticed, and thought I could make use of that exact functionality. Contrary to the documentation, it seems all the checks in reality are done automatically before the cloud function is even executed
  • mastazi
    mastazi over 2 years
    @thamey see my edit I found out a bit more info by checking the function logs.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AppCheck fails on ios Simulator
Flutter - Firebase callable functions with region not working
Error on Firebase Crashlytics installation for Flutter - IOS app
Does flutter package flutter_stripe require backend to process payments?
Passing parameters to httpsCallable cloud function from Flutter code
Failed to create function project when deploying firebase cloud function
Run Firebase Callable HTTP Cloud Function locally
Can not generate a debug token for Firebase Storage with App Check
Firebase AppCheck Quotas & Limits
Firebase Cloud Function: & Flutter: Cannot use https callable function on emulators [firebase_functions/unavailable] UNAVAILABLE