firebase
[Bug] AppCheck fails in debug environment with Firebase 11.9.0
Description
AppCheck fails in debug environment with Firebase 11.9.0, resulting in "Missing or insufficient permissions." when enforcing it through the dashboard.
Reproducing the issue
- Use the code provides in the following link with 11.9.0: https://firebase.google.com/docs/app-check/unity/debug-provider
Firebase Unity SDK Version
11.9.0
Unity editor version
2021.3.35f
Installation Method
Unity Package Manager
Problematic Firebase Component(s)
App Check
Other Firebase Component(s) in use
Analytics, Authentication, Crashlytics, Firestore, In-App Messaging, Remote Config
Additional SDKs you are using
No response
Targeted Platform(s)
Apple Platforms, Android
Unity editor platform
Windows
Scripting Runtime
IL2CPP
Release Distribution Type
Pre-built SDK from https://firebase.google.com/download/unity
Relevant Log Output
FirestoreException: Missing or insufficient permissions.
If using CocoaPods for Apple platforms, the project's Podfile.lock
Expand Podfile.lock snippet
👀 Replace this line with the contents of your Podfile.lock!
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Hey @Nyankoo, thanks for reaching out. I was able to reproduce the same behavior. Oddly enough, when I tested this on a native android app, this is working alright. I'm guessing there might be a miscommunication between the different Firebase products with AppCheck in Unity. I'll go ahead and inform our engineers. Thanks!
@argzdev Glad it could also be reproduced on your end and I hope for a fix soon, as it makes testing in the Unity Editor quite hard.
Hi @Nyankoo, so while I was waiting for engineering feedback. I noticed that after testing today, the issue went away. Upon further investigation, it looks like the issue was due to multiple reasons:
- Delayed "reaction" of the debug token from the App Check services, which was interpreted by the system as unverified requests.
- AppCheck does not work when testing it in the default Unity IDE. I noticed a different behavior where on the Unity IDE Firestore fails to write a document, and on the Android Emulator the Firestore write was able to go through. In this case, you'd have to Build and Run the app on an Android Emulator.
- Lastly, I noticed my Firestore rules was restricting the writing of the document. You could try isolating the issue by first testing without AppCheck and see if everything is working correctly. Perhaps this will isolate the issue.
Also I've tested using our quickstart for Firestore and added AppCheck:
protected virtual void Start()
{
FirebaseApp.CheckAndFixDependenciesAsync().ContinueWithOnMainThread(task =>
{
dependencyStatus = task.Result;
if (dependencyStatus == DependencyStatus.Available)
{
InitializeFirebase();
InitializeAppCheck();
}
else
{
Debug.LogError(
"Could not resolve all Firebase dependencies: " + dependencyStatus);
}
});
}
Let me know if this helps!
@argzdev Can you please elaborate on reason 2? App Check was working previously in the Unity Editor with the instructions found here: https://firebase.google.com/docs/app-check/unity/debug-provider
It also explicitly states:
After you have registered your app for App Check, your app normally won't run on desktop platforms, in an emulator, or from a continuous integration (CI) environment, since those environments don't qualify as valid devices. If you want to run your app in such an environment during development and testing, you can create a debug build of your app that uses the App Check debug provider instead of a real attestation provider.
Reason #2 was the behavior I encountered when testing for both Unity and in Android Emulator. I believe you're right, it should be working even on desktop platforms as mentioned in the documentations. So I'm guessing the main culprit is that the Debug token doesn't work on the desktop platform, but works on the Android Emulator. Let me add that to my escalation for our engineers.
By the way, you mentioned that it was previously working. Could you specify which version were you using before encountering this behavior?
I do believe that it was working with 11.8.1, but this could also be a mix-up with recent changes of enforcement we did on the Firebase dashboard.
We'll keep that in mind while investigating, thank you for the additional information!
Hi @Nyankoo
I tried it on my end, and it does work on my end without issue. I can get that error message by not setting up the DebugAppCheckProviderFactory correctly, so that is my best guess on what could be going wrong. It is important to note that setting the factory needs to be done before any other Firebase call.
Somethings to try, you could enable debug logging to see if anything stands out in the log about what AppCheck provider is being used with the calls.
Firebase.FirebaseApp.LogLevel = Firebase.LogLevel.Debug;
@a-maurice I just tried it too, and it's still not working for me. Which Unity version did you try it with?
Here is my code:
DebugAppCheckProviderFactory.Instance.SetDebugToken("MYDEBUGTOKEN"); //This is set to the correct debug token
FirebaseAppCheck.SetAppCheckProviderFactory(DebugAppCheckProviderFactory.Instance);
var dependencyStatus = await FirebaseApp.CheckAndFixDependenciesAsync();
if(dependencyStatus != DependencyStatus.Available)
{
return;
}
//do Firebase calls after this
I tried it with 2021.3.38f1, and had previously done tests with 2021.3.13f1, so I doubt that would be part of the reason why. And yeah, that code looks like the correct order for things.
I do see that the Firestore SDK updated some of their dependencies in the iOS SDK, which is partially used by the desktop implementation, though looking over those changes nothing seems like it would be related to App Check issues. I assume it is all the calls to Firestore having issues, and not just a specific one? Are you using any of the other Firebase products that use App Check (Storage, Realtime Database, Functions), to see if those are working for you?
@a-maurice Only using Firestore that has App Check "enforced".
The additional debug message I'm getting is: "Would set key-value if running on a physical device: KEY-VALUE"
I think we're dealing with the same issue in Firebase 12.1.0. We try to write to Realtime Database on which we enforced AppCheck. The rules of the Realtime Database are empty:
{
"rules": {
}
}
If we're setting read and write permissions to true, everything works as expected (with and without initializing AppCheck).
In Unity we init AppCheck as mentioned above, but getting the following error in Unity Editor when trying to write to Realtime Database:
Firebase.Database.DatabaseException: Internal task faulted ---> System.AggregateException: One or more errors occurred. (This client does not have permission to perform this operation.) ---> Firebase.FirebaseException: This client does not have permission to perform this operation.
With following code I'm getting a token:
AppCheck.GetAppCheckTokenAsync(true).ContinueWithOnMainThread(task =>
{
AppCheckToken appCheckToken = task.Result;
Debug.Log($"[FirebaseManager] AppCheck - {appCheckToken.Token}");
});
Also which Debug token you should use in Editor - iOS or Android?
@bonsenz it works for us in Unity Editor only when using the Android Debug Token, for some reason the iOS debug token doesn't work in Editor
Also having this issue, a workaround that works sometimes, and is still annoying is deleting somehow the Firebase cache.
C:\Users\***\AppData\Local\com.my-app
AppCheck doesn't seem to work in Editor on Mac when target is set to iOS, switching it to Android works though
Are we supposed to use one Debug Token per user? I wonder if our issue is that we all share the same Debug Token