Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] AppCheck fails in debug environment with Firebase 11.9.0 #1009

Open
Nyankoo opened this issue Apr 29, 2024 · 13 comments
Open

[Bug] AppCheck fails in debug environment with Firebase 11.9.0 #1009

Nyankoo opened this issue Apr 29, 2024 · 13 comments
Labels
api: appcheck needs-attention Need Googler's attention

Comments

@Nyankoo
Copy link

Nyankoo commented Apr 29, 2024

Description

AppCheck fails in debug environment with Firebase 11.9.0, resulting in "Missing or insufficient permissions." when enforcing it through the dashboard.

Reproducing the issue

Firebase Unity SDK Version

11.9.0

Unity editor version

2021.3.35f

Installation Method

Unity Package Manager

Problematic Firebase Component(s)

App Check

Other Firebase Component(s) in use

Analytics, Authentication, Crashlytics, Firestore, In-App Messaging, Remote Config

Additional SDKs you are using

No response

Targeted Platform(s)

Apple Platforms, Android

Unity editor platform

Windows

Scripting Runtime

IL2CPP

Release Distribution Type

Pre-built SDK from https://firebase.google.com/download/unity

Relevant Log Output

FirestoreException: Missing or insufficient permissions.

If using CocoaPods for Apple platforms, the project's Podfile.lock

Expand Podfile.lock snippet
👀 Replace this line with the contents of your Podfile.lock!
@Nyankoo Nyankoo added new New issue. type: bug labels Apr 29, 2024
@google-oss-bot
Copy link

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@argzdev
Copy link

argzdev commented May 3, 2024

Hey @Nyankoo, thanks for reaching out. I was able to reproduce the same behavior. Oddly enough, when I tested this on a native android app, this is working alright. I'm guessing there might be a miscommunication between the different Firebase products with AppCheck in Unity. I'll go ahead and inform our engineers. Thanks!

@Nyankoo
Copy link
Author

Nyankoo commented May 3, 2024

@argzdev Glad it could also be reproduced on your end and I hope for a fix soon, as it makes testing in the Unity Editor quite hard.

@argzdev
Copy link

argzdev commented May 6, 2024

Hi @Nyankoo, so while I was waiting for engineering feedback. I noticed that after testing today, the issue went away. Upon further investigation, it looks like the issue was due to multiple reasons:

  1. Delayed "reaction" of the debug token from the App Check services, which was interpreted by the system as unverified requests.
  2. AppCheck does not work when testing it in the default Unity IDE. I noticed a different behavior where on the Unity IDE Firestore fails to write a document, and on the Android Emulator the Firestore write was able to go through. In this case, you'd have to Build and Run the app on an Android Emulator.
  3. Lastly, I noticed my Firestore rules was restricting the writing of the document. You could try isolating the issue by first testing without AppCheck and see if everything is working correctly. Perhaps this will isolate the issue.

Also I've tested using our quickstart for Firestore and added AppCheck:

protected virtual void Start()
    {

      FirebaseApp.CheckAndFixDependenciesAsync().ContinueWithOnMainThread(task =>
      {
        dependencyStatus = task.Result;
        if (dependencyStatus == DependencyStatus.Available)
        {
          InitializeFirebase();
          InitializeAppCheck();
        }
        else
        {
          Debug.LogError(
            "Could not resolve all Firebase dependencies: " + dependencyStatus);
        }
      });
    }

Let me know if this helps!

@argzdev argzdev added needs-info Need information for the developer and removed type: bug labels May 6, 2024
@Nyankoo
Copy link
Author

Nyankoo commented May 6, 2024

@argzdev Can you please elaborate on reason 2? App Check was working previously in the Unity Editor with the instructions found here:
https://firebase.google.com/docs/app-check/unity/debug-provider

It also explicitly states:

After you have registered your app for App Check, your app normally won't run on desktop platforms, in an emulator, or from a continuous integration (CI) environment, since those environments don't qualify as valid devices. If you want to run your app in such an environment during development and testing, you can create a debug build of your app that uses the App Check debug provider instead of a real attestation provider.

@google-oss-bot google-oss-bot added needs-attention Need Googler's attention and removed needs-info Need information for the developer labels May 6, 2024
@argzdev
Copy link

argzdev commented May 6, 2024

Reason #2 was the behavior I encountered when testing for both Unity and in Android Emulator. I believe you're right, it should be working even on desktop platforms as mentioned in the documentations. So I'm guessing the main culprit is that the Debug token doesn't work on the desktop platform, but works on the Android Emulator. Let me add that to my escalation for our engineers.

By the way, you mentioned that it was previously working. Could you specify which version were you using before encountering this behavior?

@argzdev argzdev added type: bug and removed needs-attention Need Googler's attention labels May 6, 2024
@Nyankoo
Copy link
Author

Nyankoo commented May 6, 2024

I do believe that it was working with 11.8.1, but this could also be a mix-up with recent changes of enforcement we did on the Firebase dashboard.

@argzdev
Copy link

argzdev commented May 6, 2024

We'll keep that in mind while investigating, thank you for the additional information!

@a-maurice
Copy link
Collaborator

Hi @Nyankoo

I tried it on my end, and it does work on my end without issue. I can get that error message by not setting up the DebugAppCheckProviderFactory correctly, so that is my best guess on what could be going wrong. It is important to note that setting the factory needs to be done before any other Firebase call.

Somethings to try, you could enable debug logging to see if anything stands out in the log about what AppCheck provider is being used with the calls.

Firebase.FirebaseApp.LogLevel = Firebase.LogLevel.Debug;

@Nyankoo
Copy link
Author

Nyankoo commented May 9, 2024

@a-maurice I just tried it too, and it's still not working for me. Which Unity version did you try it with?

Here is my code:

DebugAppCheckProviderFactory.Instance.SetDebugToken("MYDEBUGTOKEN"); //This is set to the correct debug token
FirebaseAppCheck.SetAppCheckProviderFactory(DebugAppCheckProviderFactory.Instance);

var dependencyStatus = await FirebaseApp.CheckAndFixDependenciesAsync();
if(dependencyStatus != DependencyStatus.Available)
{
      return;
}

//do Firebase calls after this

@a-maurice
Copy link
Collaborator

I tried it with 2021.3.38f1, and had previously done tests with 2021.3.13f1, so I doubt that would be part of the reason why. And yeah, that code looks like the correct order for things.

I do see that the Firestore SDK updated some of their dependencies in the iOS SDK, which is partially used by the desktop implementation, though looking over those changes nothing seems like it would be related to App Check issues. I assume it is all the calls to Firestore having issues, and not just a specific one? Are you using any of the other Firebase products that use App Check (Storage, Realtime Database, Functions), to see if those are working for you?

@Nyankoo
Copy link
Author

Nyankoo commented May 9, 2024

@a-maurice Only using Firestore that has App Check "enforced".

The additional debug message I'm getting is: "Would set key-value if running on a physical device: KEY-VALUE"

@looptheloop88 looptheloop88 added needs-attention Need Googler's attention and removed type: bug type: question labels Jun 24, 2024
@bonsenz
Copy link

bonsenz commented Sep 12, 2024

I think we're dealing with the same issue in Firebase 12.1.0. We try to write to Realtime Database on which we enforced AppCheck. The rules of the Realtime Database are empty:

{
  "rules": {

  }
}

If we're setting read and write permissions to true, everything works as expected (with and without initializing AppCheck).

In Unity we init AppCheck as mentioned above, but getting the following error in Unity Editor when trying to write to Realtime Database:

Firebase.Database.DatabaseException: Internal task faulted ---> System.AggregateException: One or more errors occurred. (This client does not have permission to perform this operation.) ---> Firebase.FirebaseException: This client does not have permission to perform this operation.

With following code I'm getting a token:

AppCheck.GetAppCheckTokenAsync(true).ContinueWithOnMainThread(task =>
            {
                AppCheckToken appCheckToken = task.Result;
                Debug.Log($"[FirebaseManager] AppCheck - {appCheckToken.Token}");
});

Also which Debug token you should use in Editor - iOS or Android?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: appcheck needs-attention Need Googler's attention
Projects
None yet
Development

No branches or pull requests

7 participants