flutterfire icon indicating copy to clipboard operation
flutterfire copied to clipboard

Published 20 hours ago verified publisher icon firebase

🐛 [firebase_app_check] Add support to nonce in getToken function

Open lucasgsa opened this issue 2 years ago • 7 comments

Context

I have developed an application that sends sensitive information, which should only be transmitted by the application itself. To ensure security, the integrity token is validated in the backend API.

To prevent man-in-the-middle attacks, I need to hash the request content and have the backend verify that the hash of the received request matches the nonce.

Having this feature in my application is of utmost importance. If it is not supported, I won't be able to use the library.

Expected behavior

FirebaseAppCheck.getToken(nonce: String)

lucasgsa avatar Jul 19 '23 19:07 lucasgsa

I have the same problem

waazeved avatar Jul 20 '23 20:07 waazeved

Accidentally posted a little too soon, and realized I misread what you had originally typed. Here is the new response:

Spoke with the team, this is something that are exploring but in the meantime we offer limitedUseAppCheck tokens which may not address your specific problem, but can help mitigate replay attacks against your backend resources for the time being.

nohe427 avatar Jul 28 '23 17:07 nohe427

Thank you for this feature request. To add more color on @nohe427's response, this feature is sometimes known as content binding, as you are binding information about the request into the signed token itself, thus limiting the purposes for which the token can be used when backends check for it. Hashing the request itself is the most common use of this feature, but it is not the only one.

When weighing our next priorities, we decided to first work on the one-time-use token use case that @nohe427 mentioned above, as that is the more common feature developers have been asking for. While we won't be able to give you a timeline, rest assured that we are fully aware of content binding as an important use case.

weixifan avatar Jul 31 '23 23:07 weixifan

This is a feature request upstream of FlutterFire which is a wrapper around the native Firebase SDKs.

russellwheatley avatar Oct 12 '23 11:10 russellwheatley

I can relate, as I'm facing a similar challenge.

hiarlyfs avatar Dec 14 '23 18:12 hiarlyfs

This feature is also blocking the use of the library for me, my team won't let me use it for security reasons until it's supported

guilhermeg2k avatar Mar 12 '24 13:03 guilhermeg2k

I am also experiencing the same problem. The lack of nonce support in the function is a limitation that, in my case, makes its use unfeasible.

ledica avatar May 24 '24 14:05 ledica

Thank you for highlighting this missing feature.

Since FlutterFire is a wrapper around the native SDKs, we suggest posting a new idea on Firebase UserVoice: Firebase UserVoice or opening a new issue in the relevant native SDK repository (iOS/Android/JS/etc). Once the feature is implemented on the native side, we can implement it in FlutterFire as well.

I will be closing this issue for now.

TarekkMA avatar Jul 02 '24 12:07 TarekkMA