Skip to content

fireabase enforceAppCheck doesn't work #1377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bolds07 opened this issue Apr 14, 2023 · 11 comments
Closed

fireabase enforceAppCheck doesn't work #1377

bolds07 opened this issue Apr 14, 2023 · 11 comments
Assignees
@taeold
Labels
api: appcheck closed-by-bot Needs: Author Feedback Issues awaiting author feedback no-recent-activity

Comments

@bolds07
Copy link

bolds07 commented Apr 14, 2023

I'm using firebase functions to build my system, I want to add extra layers of security to avoid brute force attacks and others and the app check mechanism looked like a nice solution

BUT IT DOESN'T WORK

i did everything writter in here:
https://firebase.google.com/docs/app-check/cloud-functions
https://firebase.google.com/docs/app-check/web/recaptcha-enterprise-provider

my function looks like:

exports.test= functions.runWith({ timeoutSeconds: 30, memory: '128MB', enforceAppCheck: true }).https.onCall(async (data, context) => { console.log(JSON.stringif(data)); console.log(JSON.stringif(context)); });

but yet it doesn't work

i can open postman or any other rest request maker put the function url and just post anything like

{
"data" : { "foo" : {}, "bar" : "bar"}
}
no headers, just a post as this with the right url and the request goes through...

wasn't enforceAppCheck: true supposed to ban the random requests like this? if i look the function logs i even get a log like this:

{
insertId: "6438df00000d1c3cc2e2d44e"
jsonPayload: {
message: "Callable request verification passed"
verifications: {
app: "MISSING"
auth: "MISSING"
}
}
labels: {3}
logName: "projects/qe/logs/cloudfunctions.googleapis.com%2Fcloud-functions"
receiveTimestamp: "2023-04-14T05:05:04.982509106Z"
resource: {2}
severity: "INFO"
timestamp: "2023-04-14T05:05:04.859196Z"
}
"Callable request verification passed"

what verification? it was literally a random request

after this log line i get 2 more lines printing the stuff i put in the function the context shows that context.app == null and context.auth == null

doesn't this app verification works for nothing? is firebase letting people randomly brute-force our functions?
@google-oss-bot
Copy link
Collaborator

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@taeold taeold self-assigned this Apr 17, 2023
@taeold
Copy link
Contributor

taeold commented Apr 17, 2023

Thanks for the issue report @bolds07.

Do you mind sharing version of the firebase-functions? We introduced the enforceAppCheck in v4 of our SDK, and I'm wondering if the issue you are seeing is related to that.

@taeold taeold added Needs: Author Feedback Issues awaiting author feedback api: appcheck and removed needs-triage labels Apr 17, 2023
@google-oss-bot google-oss-bot added Needs: Attention and removed Needs: Author Feedback Issues awaiting author feedback labels Apr 18, 2023
@taeold taeold added Needs: Author Feedback Issues awaiting author feedback and removed Needs: Attention labels May 5, 2023
@google-oss-bot
Copy link
Collaborator

Hey @bolds07. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

@google-oss-bot
Copy link
Collaborator

Since there haven't been any recent updates here, I am going to close this issue.

@bolds07 if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

@trevor-rex
Copy link

Hello @taeold, I am not able to fully replicate this but wanted to make some notes about my observations and make a feature request.

I have been able to verify that the enforceAppCheck option works properly on onCall functions, but have seen some weird behavior when invoking the onCall manually from Postman. When I manually invoke the function with a valid bearer token and without the "X-Firebase-AppCheck" header, I get a 401 error as expected. When I invoke the function with the aforementioned header and a valid app check token, the request succeeds as expected, however in the function logs when I inspect the "Callable request verification passed" log, the jsonPayload.verification.app still says MISSING which I found strange. This is even though the existence of the header clearly makes the request valid, and app check is being enforced. When I inspect the function log of a function with enforceAppCheck: true but the request comes from an actual iOS app, I see that jsonPayload.verification.app is VALID.

Additionally, I believe that the enforceAppCheck flag should also work with onRequest functions. It is the same exact logic to manually verify a token there as an on-call (pass in the X-Firebase-AppCheck header with the token from the frontend and call getAppCheck().verifyToken(token) on the backend to verify the token). It does not currently work on onRequest functions even though enforceAppCheck is a valid function option for onRequest functions. I can make a request to an onRequest function with enforceAppCheck: true and no X-Firebase-AppCheck header and get back a 200. Manually verifying the token is a valid workaround but I don't believe it should be necessary.

Thank you!

@jjoffrey
Copy link

I have the same issue with onRequest.

By putting "enforceAppCheck: true", the function is still accessible via Postman without any token

@acrolink
Copy link

@jjoffrey

I am having the same issue.

@jjoffrey
Copy link

jjoffrey commented Sep 23, 2023
edited
Loading

Until this is fix, i am using this function on Typescript

/**
* Function to check if the App Check token is valid
* @param {Request} req - The request of the api call
*/
export const appCheckVerification = async (req: any) => {
    const appCheckToken = req.header(constants.appCheckTokenKey);

    if (!appCheckToken) {
        console.log("No App Check token found " + appCheckToken);
        return false;
    }

    try {

        console.log("Verifying App Check token ");
        await getAppCheck().verifyToken(appCheckToken);
        return true;

    } catch (err) {
        return false;
    }
};

@cloudatlas9
Copy link

@jjoffrey This does not secure against malicious behavior intended to make you incur a high bill by polling your endpoint though, if I'm not mistaken?

@trevor-rex
Copy link

trevor-rex commented Oct 13, 2023 via email

@cloudatlas9
Copy link

@jjoffrey Based on what I remember from looking into it a year ago, I was of the opinion it would not count as a billed invocation (since the AppCheck token is evaluated in the middleware, before executing the actual Cloud Function logic).

But now I tried for 45 minutes to find information confirming this, unsuccessfully. So perhaps you're right.

Don't know if anyone can confirm for sure whether a rejected onCall request using the enforceAppCheck CallableOption counts as a billed invocation?

@AmitMY AmitMY mentioned this issue Oct 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@taeold taeold

Labels
api: appcheck closed-by-bot Needs: Author Feedback Issues awaiting author feedback no-recent-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@acrolink @taeold @bolds07 @google-oss-bot @cloudatlas9 @jjoffrey @trevor-rex