Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

firebase - App Check fails when accessing database from callable cloud function

I recently enabled App Check for my firebase app and enforced it on both my cloud functions and database. The cloud function workflow is behaving correctly. However, I can no longer access the database from the function. A minimal version of my callable function looks something like this:

exports.myFunc = functions.https.onCall(async (data, context) => {
  const adminApp = admin.initializeApp();
  const ref = adminApp.database().ref('some-node');
  
  if (context.app === undefined) {
    throw new functions.https.HttpsError(
      'failed-precondition',
      'The function must be called from an App Check verified app.',
    );
  }

  try {
    return (await ref.orderByKey().equalTo('foo').get()).exists()
  } catch(exc) {
    console.error(exc);
  }
});

This used to work before App Check, but now it fails and I see this in the logs:

@firebase/database: FIREBASE WARNING: Invalid appcheck token (https://my-project-default-rtdb.firebaseio.com/) Error: Error: Client is offline.

Seems like I need to do something extra to get the admin app to pass App Check verification down to the database, but I haven't been able to find any documentation on this yet. I also tried using the app instance from functions.app.admin instead of initializing a new one, but this didn't help.

I have the latest version of the packages:

"firebase-admin": "^9.10.0"
"firebase-functions": "^3.14.1"
like image 575
mhusaini Avatar asked Jun 25 '21 10:06

mhusaini


People also ask

What is Firebase attestation?

This attestation is attached to every request your app makes to your Firebase backend resources. App Check has built-in support for using the following services as attestation providers:

What is a firebase app check?

App Check guards access to your Firebase resources and custom backends by requiring API calls to contain a valid Firebase App Check token. These two concepts work together to help secure your app.

Why am I getting string token error in Cloud Functions?

The error you are getting on the Firebase side is hinting at something being wrong with your string token being passed to the function, can you share the code where you call your cloud function and the relevant parts of the function itself? Also I would suggest you try to log the value of the string token and check if it is the expected value.


Video Answer


1 Answers

firebaser here

The behavior you're seeing is not how it's supposed to work, and we've been able to reproduce it. Thanks for the clear report, and sorry you encountered this.

If you (re)install the Firebase Admin SDK today, you won't be experiencing this same problem as we've fixed the problem in the @firebase/database dependency (in this PR).

If you're (still) experiencing the problem, you can check if you have the correct @firebase/database dependency by running:

npm ls @firebase/database

results look something like this:

[email protected] /Users/you/repos/temp-admin
└─┬ [email protected]
  └── @firebase/[email protected]

If your @firebase/database version is lower than 0.10.8, you'll have to reinstall the Admin SDK, for example by deleting your node_modules directory and your package-lock.json file and running npm install again. This may also update other dependencies.

like image 52
Frank van Puffelen Avatar answered Oct 24 '22 04:10

Frank van Puffelen