firebase - App Check fails when accessing database from callable cloud function

Question

I recently enabled App Check for my firebase app and enforced it on both my cloud functions and database. The cloud function workflow is behaving correctly. However, I can no longer access the database from the function. A minimal version of my callable function looks something like this:

exports.myFunc = functions.https.onCall(async (data, context) => {
  const adminApp = admin.initializeApp();
  const ref = adminApp.database().ref('some-node');
  
  if (context.app === undefined) {
    throw new functions.https.HttpsError(
      'failed-precondition',
      'The function must be called from an App Check verified app.',
    );
  }

  try {
    return (await ref.orderByKey().equalTo('foo').get()).exists()
  } catch(exc) {
    console.error(exc);
  }
});

This used to work before App Check, but now it fails and I see this in the logs:

@firebase/database: FIREBASE WARNING: Invalid appcheck token (https://my-project-default-rtdb.firebaseio.com/) Error: Error: Client is offline.

Seems like I need to do something extra to get the admin app to pass App Check verification down to the database, but I haven't been able to find any documentation on this yet. I also tried using the app instance from functions.app.admin instead of initializing a new one, but this didn't help.

I have the latest version of the packages:

"firebase-admin": "^9.10.0"
"firebase-functions": "^3.14.1"

*firebaser here* That looks unexpected at first glance, so I'm going to check with the engineering team to see what's going on. — Frank van Puffelen, Jun 25 '21 at 14:27

Frank van Puffelen · Accepted Answer · 2021-07-26T23:30:43.717

9

firebaser here

The behavior you're seeing is not how it's supposed to work, and we've been able to reproduce it. Thanks for the clear report, and sorry you encountered this.

If you (re)install the Firebase Admin SDK today, you won't be experiencing this same problem as we've fixed the problem in the @firebase/database dependency (in this PR).

If you're (still) experiencing the problem, you can check if you have the correct @firebase/database dependency by running:

npm ls @firebase/database

results look something like this:

temp-admin@1.0.0 /Users/you/repos/temp-admin
└─┬ firebase-admin@9.11.0
  └── @firebase/database@0.10.8

If your @firebase/database version is lower than 0.10.8, you'll have to reinstall the Admin SDK, for example by deleting your node_modules directory and your package-lock.json file and running npm install again. This may also update other dependencies.

edited Jul 26 '21 at 23:30

answered Jun 25 '21 at 20:07

Frank van Puffelen

565,676
79
828
807

1

Thanks for the prompt action. Looking forward to the solution or workaround. – mhusaini Jun 25 '21 at 20:13
2

Thanks, Frank! waiting for the solution on our side as well :D We are excited to be able to use app-check in our app. – Glauber Jul 01 '21 at 15:00
5

*Firebaser here.* The fix is now available in `@firebase/database@0.10.8`. Thanks for bringing this issue to our attention! – Victor Fan Jul 26 '21 at 19:36

firebase - App Check fails when accessing database from callable cloud function

1 Answers1

Linked

Related