I recently enabled App Check for my firebase app and enforced it on both my cloud functions and database. The cloud function workflow is behaving correctly. However, I can no longer access the database from the function. A minimal version of my callable function looks something like this:
exports.myFunc = functions.https.onCall(async (data, context) => {
const adminApp = admin.initializeApp();
const ref = adminApp.database().ref('some-node');
if (context.app === undefined) {
throw new functions.https.HttpsError(
'failed-precondition',
'The function must be called from an App Check verified app.',
);
}
try {
return (await ref.orderByKey().equalTo('foo').get()).exists()
} catch(exc) {
console.error(exc);
}
});
This used to work before App Check, but now it fails and I see this in the logs:
@firebase/database: FIREBASE WARNING: Invalid appcheck token (https://my-project-default-rtdb.firebaseio.com/) Error: Error: Client is offline.
Seems like I need to do something extra to get the admin
app to pass App Check verification down to the database, but I haven't been able to find any documentation on this yet. I also tried using the app instance from functions.app.admin
instead of initializing a new one, but this didn't help.
I have the latest version of the packages:
"firebase-admin": "^9.10.0"
"firebase-functions": "^3.14.1"
This attestation is attached to every request your app makes to your Firebase backend resources. App Check has built-in support for using the following services as attestation providers:
App Check guards access to your Firebase resources and custom backends by requiring API calls to contain a valid Firebase App Check token. These two concepts work together to help secure your app.
The error you are getting on the Firebase side is hinting at something being wrong with your string token being passed to the function, can you share the code where you call your cloud function and the relevant parts of the function itself? Also I would suggest you try to log the value of the string token and check if it is the expected value.
firebaser here
The behavior you're seeing is not how it's supposed to work, and we've been able to reproduce it. Thanks for the clear report, and sorry you encountered this.
If you (re)install the Firebase Admin SDK today, you won't be experiencing this same problem as we've fixed the problem in the @firebase/database
dependency (in this PR).
If you're (still) experiencing the problem, you can check if you have the correct @firebase/database
dependency by running:
npm ls @firebase/database
results look something like this:
[email protected] /Users/you/repos/temp-admin
└─┬ [email protected]
└── @firebase/[email protected]
If your @firebase/database
version is lower than 0.10.8
, you'll have to reinstall the Admin SDK, for example by deleting your node_modules
directory and your package-lock.json
file and running npm install
again. This may also update other dependencies.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With