firebase-admin-python icon indicating copy to clipboard operation
firebase-admin-python copied to clipboard

Published 20 hours ago verified publisher icon firebase

[FR] When is AppCheck gonna be integrated in python firebase-admin SDK?

Open GabrieleCalarota opened this issue 2 years ago • 6 comments

Is your feature request related to a problem? Please describe. I really would like to protect my Python Backend (FastAPI) with Firebase AppCheck

Describe the solution you'd like Have firebase AppCheck directly into firebase-admin SDK

Describe alternatives you've considered Run NodeJS inside python environment (is this a safe thing to do?)

Additional context image

GabrieleCalarota avatar Dec 14 '21 11:12 GabrieleCalarota

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Dec 14 '21 11:12 google-oss-bot

Hi @GabrieleCalarota, Thank you for the feature request. We do not have any plans to implement the App Check Python API on our immediate roadmap. However, we will use this issue to track any progress we make on this front. We also accept pull requests if someone in the community wants to work on this :)

lahirumaramba avatar Dec 15 '21 22:12 lahirumaramba

Hi @GabrieleCalarota, Thank you for the feature request. We do not have any plans to implement the App Check Python API on our immediate roadmap. However, we will use this issue to track any progress we make on this front. We also accept pull requests if someone in the community wants to work on this :)

Thanks, do you have a list of activity in order to make this integration? I can't promise, but it's something we would really like to have in our backend.

GabrieleCalarota avatar Dec 16 '21 11:12 GabrieleCalarota

You can start by proposing the public API interface (use the Node.js API as an example).

In the meantime you can follow the steps on this blog post (see Verifying App Check tokens in other backend resources) the recommended way to secure your non Node.js custom backend.

lahirumaramba avatar Feb 04 '22 17:02 lahirumaramba

You can start by proposing the public API interface (use the Node.js API as an example).

In the meantime you can follow the steps on this blog post (see Verifying App Check tokens in other backend resources) the recommended way to secure your non Node.js custom backend.

Thanks for the info provided, I've actually found a workaround in the meantime (My Backend Resource is in Python / FastAPI) to add a middleware call to firebase cloud functions which verifies the app check token and returns 401 or 200 (API exposed on cloud functions) and since firebase cloud functions runtime supported is now node.js

This is a temporary workaround, considering the high volume of request that is gonna be billed on GCP, but I'll drop this here in case someone is looking for a temporary patch.

GabrieleCalarota avatar Feb 07 '22 08:02 GabrieleCalarota

Hello, any updates? I keep trying to generate a token based #568, but I can't verify it using described steps. Only firebase generated tokens can be verified. Also if we generate token using services json credentials, header kid is private key and decoding with Firebase App Check public JSON Web Key won't be possible. since won't be a match Thanks.

Edit: @lahirumaramba any news? Thanks.

catalin-florescu avatar Aug 07 '22 10:08 catalin-florescu

Thank you for your patience everyone! We just released firebase-admin v6.0.0 with app check token verification support. https://firebase.google.com/support/release-notes/admin/python#6.0.0 Let us know if you run into any issues.

lahirumaramba avatar Oct 06 '22 21:10 lahirumaramba

Thank you for your patience everyone! We just released firebase-admin v6.0.0 with app check token verification support. https://firebase.google.com/support/release-notes/admin/python#6.0.0 Let us know if you run into any issues.

😍 😍 😍

GabrieleCalarota avatar Oct 07 '22 08:10 GabrieleCalarota