Windows - FirebaseAppCheckError: App attestation failed.

[daviddomkar]

Environment

• Operating System version: Windows 11
• Firebase SDK version: "firebase-admin": "^11.10.1"
• Firebase Product: appcheck
• Node.js version: 18.17.0
• NPM version: 9.6.7

Problem description

When trying to use firebase admin SDK to generate custom appcheck token, the code throws the following exception:

FirebaseAppCheckError: App attestation failed.
    at AppCheckApiClient.toFirebaseError (C:\Users\David\Projects\temp\node_modules\firebase-admin\lib\app-check\app-check-api-client-internal.js:150:16)
    at C:\Users\David\Projects\temp\node_modules\firebase-admin\lib\app-check\app-check-api-client-internal.js:72:24
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  errorInfo: {
    code: 'app-check/permission-denied',
    message: 'App attestation failed.'
  },
  codePrefix: 'app-check'
}

This happens on my PC (Windows 11) and my laptop (Windows 11). However, it does not happen on my colleague's MacOS machine. The Firebase configuration was exactly the same on all these machines. I tried everything from switching node and dependency versions to tracing token requests with Wireshark to see the issue, but I just lost 3 whole days trying to fix this with no positive outcome. I seek any help I can.

Steps to reproduce:

I made a simple reproduction repo where the problem occurs: https://github.com/DavidDomkar/firebase-admin-app-check-create-token-bug

• You will need to create .env file based on .env.example and fill in the FIREBASE_APP_ID based on your project. Also, service-account.json file must be copied over to the repository root.
• Then run yarn install && yarn tsc && node lib/index.js to run the example and see the error.

Relevant Code:

import { initializeApp } from "firebase-admin/app";
import { getAppCheck } from "firebase-admin/app-check";

async function main() {
  const app = initializeApp();
  const appCheck = getAppCheck(app);
  const token = await appCheck.createToken(process.env.FIREBASE_APP_ID);
  console.log(token);
}

main();

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lahirumaramba]

Hey @DavidDomkar the error you are seeing is usually caused by using incorrect service account credentials.

In the backend, if the incoming service account credentials are invalid, the backend will throw that error... and there are several ways for the credentials to be invalid

1. if no credentials are supplied
2. if the credentials have invalid signature
3. if the credential is for a different project

Are you able to test a different Firebase API other than App Check with your project? If it is failing for other APIs as well then the issue can be related to how you load your service account credentials

[daviddomkar]

Hi @lahirumaramba. Thank you for your suggestions, but the credentials are correct. They are supplied, have valid signatures, and are for the project I am using. I tried with different projects and different credentials to be sure. This also seems to affect only Windows, on MacOS, for example, the reproduction works. Only on my two Windows machines, it does not.

Maybe my recent observation can help - the issue recently disappeared for a few days, and then it appeared again. My guess is that when I am working on my project for the first time, a new app check token is issued fine, but when I do not work on it for some time and return to it, this issue appears. My guess is that the node HTTP layer on Windows is somehow caching the old token, which was used to fetch the app check token without using a new one. It is strange, but this is the only reasonable explanation for why this happens. It would also explain why it started working again after a few days - the cache expired. And now it does not work again. I am not familiar with the inner workings of node, but I went as far as stepping through the SDK code with breakpoints and comparing requests externally with Wireshark. They are exactly the same on MacOS as on Windows, but one is working, and the other does not.

[Harshkanani]

@DavidDomkar I am using Custom Provider for protecting my firebase resources from abuse as I am not distributing my app through play store. I am facing similar issue. I checked my Service account permissions and confirmed that I have Firebase AppCheck Admin all permissions and I am able to use all other firebase services but getting permission denied error when creating Appcheck token. I am using Windows 11. Any solution?

Exception FirebaseAppCheckError: App attestation failed. at AppCheckApiClient.toFirebaseError (F:\Projects\2.9.0\TEST_APPCHECK\TestServer\node_modules\firebase-admin\lib\app-check\app-check-api-client-internal.js:150:16) at F:\Projects\2.9.0\TEST_APPCHECK\TestServer\node_modules\firebase-admin\lib\app-check\app-check-api-client-internal.js:72:24 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) { errorInfo: { code: 'app-check/permission-denied', message: 'App attestation failed.' }, codePrefix: 'app-check' }

[daviddomkar]

Hi @Harshkanani. Unfortunately, I am still experiencing the error and I don't have a solution. Since I am using Windows only for development and I am using the app check debug token I can ignore the error. But it is really annoying and I cannot test production builds locally. I am still waiting for someone from Firebase to pick this up but since you and me are the only occurences I guess they just ignore it. As I have written before, I have tried a lot of things to mitigate this but none worked, unfortunately. The only thing I observed is that sometimes the error goes away for a few days, and then appears again. My guess is that the expired token is cached somewhere despite the app sending a new one.

[ZiggyQubert]

I'm experiencing the same issue as well (I'm on a windows pc as well), one additional piece of information - sometimes it work correctly without any changes to code or data

[daviddomkar]

Would be great to have it fixed. Still experiencing it today.

[jdziek]

Hi. Im also experiencing this issue. The thing is that it's very erratic making it extremely difficult to debug. We suspect one of our customers is experiencing it too. In my particular case, we test different accounts in incognito mode where we follow a link supplied through an email. When the page first loads I get the "App attestation failed" error and I can't send requests to our backend due to an invalid appcheck token. I checked the requests and we do have an appcheck token which is weird. Even weirder, when I refresh the page, the appcheck works. We get a valid token, I can log in, send requests etc. Everything was fine till the beginning of April 2024, it just started happening recently, and as far as I know, it only happens to me and one customer. The customer is not using incognito. I would really appreciate any help.

EDIT: Appcheck doesn't work in Firefox on initial load either. Ive been wondering if its not a linux trait as I'm the only one in our company using it and I'm the only one experiencing that issue.

[BenJackGill]

I am having the same issue on MacOS. Also some projects work and some don't.

[hansdaapurba]

This is a legit issue. I created a token with firebase-admin. When tried to create another token with longer expiry time, got the error and been stuck since then. Might have something to do with Firebase's security measures.