flutterfire icon indicating copy to clipboard operation
flutterfire copied to clipboard

Published 20 hours ago • verified publisher icon firebase

🚀 [firebase_app_check] Missing support for custom App Check providers

Open MarcVanDaele90 opened this issue 1 year ago • 11 comments

Bug report

On https://firebase.google.com/docs/app-check/custom-provider, it is explained how to implement a custom App Check provider and it links to pages on how to use this custom provider in Apple, Android and web. However, afaics, it is not possible to use this custom provider in Flutter right now!

Can you also add support for custom providers?

I would like to use custom providers to support the whitelist (cfr discussion https://github.com/firebase/flutterfire/discussions/12222)

MarcVanDaele90 avatar Jan 31 '24 07:01 MarcVanDaele90

@MarcVanDaele90 Check if this issue resembles your case or not.

darshankawar avatar Jan 31 '24 10:01 darshankawar

@darshankawar Thanks for looking at this. I'm not sure to which part of the issue you refer to. As I see it, the issue contains three parts

  1. creating a custom provider (ReactNativeFirebaseAppCheckProvider implements AppCheckProvider)
  2. using it to generate debug tokens
  3. passing the customer provider to initializeAppCheck()

Creating a custom provider (with cloud functions) is documented on https://firebase.google.com/docs/app-check/custom-provider so I don't think we need anything extra for this.

I think the main thing missing right now is the ability to pass the custom provider to FirebaseAppCheck.instance.activate

Part 2 could be a temporary solution for my whitelist problem but I'm not sure I understand it correctly: Would it be the intention to add a "debug" flag to the ReCaptchaV3Provider object which would generate a debug token on-the-fly when set?

await FirebaseAppCheck.instance.activate(
          webProvider: ReCaptchaV3Provider(appCheckKey)
      );

If so, I could indeed

  • set this debug flag for all customers in my whitelist (thereby skipping the actual recaptcha)
  • leave it empty for other customers in which case the behavior would be unchanged

This would be a nice fix for my current problem. Though I still think that, in the long run, Flutter should also support custom providers.

MarcVanDaele90 avatar Jan 31 '24 13:01 MarcVanDaele90

Thanks for the feedback.

darshankawar avatar Feb 01 '24 09:02 darshankawar

Also, I would like to implement a custom app check provider in Flutter but there is no way to do it currently. Now that SMS costs are per send and not per sign-in, it is risky to use Firebase auth without app check, and we need a way to whitelist some users.

zvikarp avatar Feb 05 '24 08:02 zvikarp

@darshankawar is it possible to give an update? Is it possible to give a high level timeline?
We would really like to implement a custom app check provider in Flutter because app check is blocking valid customers.
I'm certainly willing to help where possible.

MarcVanDaele90 avatar Feb 21 '24 12:02 MarcVanDaele90

A short status-update would be appreciated. Any idea if (and when) this will be added?

MarcVanDaele90 avatar May 15 '24 14:05 MarcVanDaele90