FirebaseModelDownloader throws 403 error with API Keys that have app restrictions

[kabeer-uber]

[REQUIRED] Step 2: Describe your environment

• Android Studio version: 4.1.3
• Firebase Component: FirebaseModelDownloader
• Component version: 23.0.0

[REQUIRED] Step 3: Describe the problem

getModel() with FirebaseModelDownloader throws a 403 error with Google API keys that have android app restrictions.

Steps to reproduce:

Create any project and add android app restrictions, use this API key with the FirebaseModelDownloader project to trigger ML model downlaods

API keys without android app restrictions work, hence changing to None does not throw a 403 error.

Relevant Code:

Code culprit is here as we aren't adding X-Android-Package and X-Android-Cert in the headers and adding only API key.

firebase-android-sdk/firebase-ml-modeldownloader/src/main/java/com/google/firebase/ml/modeldownloader/internal/CustomModelDownloadService.java

Line 170 in 976ea2f

connection.setRequestProperty(API_KEY_HEADER, apiKey);

 @NonNull
  public Task<CustomModel> getCustomModelDetails(
      String projectNumber, String modelName, String modelHash) {
    try {
      URL url =
          new URL(String.format(DOWNLOAD_MODEL_REGEX, downloadHost, projectNumber, modelName));
      HttpURLConnection connection = (HttpURLConnection) url.openConnection();
      connection.setConnectTimeout(CONNECTION_TIME_OUT_MS);
      connection.setRequestProperty(ACCEPT_ENCODING_HEADER_KEY, GZIP_CONTENT_ENCODING);
      connection.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON);
      if (modelHash != null && !modelHash.isEmpty()) {
        connection.setRequestProperty(IF_NONE_MATCH_HEADER_KEY, modelHash);
      }

      Task<InstallationTokenResult> installationAuthTokenTask =
          firebaseInstallations.getToken(false);
      return installationAuthTokenTask.continueWithTask(
          executorService,
          (CustomModelTask) -> {
            if (!installationAuthTokenTask.isSuccessful()) {
              ErrorCode errorCode = ErrorCode.MODEL_INFO_DOWNLOAD_CONNECTION_FAILED;
              String errorMessage = "Failed to get model due to authentication error";
              int exceptionCode = FirebaseMlException.UNAUTHENTICATED;
              if (installationAuthTokenTask.getException() != null
                  && (installationAuthTokenTask.getException() instanceof UnknownHostException
                      || installationAuthTokenTask.getException().getCause()
                          instanceof UnknownHostException)) {
                errorCode = ErrorCode.NO_NETWORK_CONNECTION;
                errorMessage = "Failed to retrieve model info due to no internet connection.";
                exceptionCode = FirebaseMlException.NO_NETWORK_CONNECTION;
              }
              eventLogger.logDownloadFailureWithReason(
                  new CustomModel(modelName, modelHash, 0, 0L), false, errorCode.getValue());
              return Tasks.forException(new FirebaseMlException(errorMessage, exceptionCode));
            }

            connection.setRequestProperty(
                INSTALLATIONS_AUTH_TOKEN_HEADER, installationAuthTokenTask.getResult().getToken());
            connection.setRequestProperty(API_KEY_HEADER, apiKey);
            return fetchDownloadDetails(modelName, connection);
          });

    } catch (IOException e) {
      eventLogger.logDownloadFailureWithReason(
          new CustomModel(modelName, modelHash, 0, 0L),
          false,
          ErrorCode.MODEL_INFO_DOWNLOAD_CONNECTION_FAILED.getValue());

      return Tasks.forException(
          new FirebaseMlException(
              "Error reading custom model from download service: " + e.getMessage(),
              FirebaseMlException.INVALID_ARGUMENT));
    }
  }

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[aguatno]

Hi @kabeer-uber thanks for reporting. Currently I wasn't able to reproduce the issue, could you help me? If you would be able to provide runnable sample code that would be great for the team.

[kabeer-uber]

@aguatno I have pushed the code of the app here
https://github.com/kabeer-uber/firebase-ml-bug-2647

The code is pretty straightforward

        FirebaseApp.initializeApp(this)

        FirebaseModelDownloader.getInstance()
                .getModel("mv2_50_e47_q_v4_fix", DownloadType.LOCAL_MODEL_UPDATE_IN_BACKGROUND, CustomModelDownloadConditions.Builder().build())
                .addOnSuccessListener { model -> // Download complete. Depending on your app, you could enable the ML
                    Log.d(TAG, "onSuccess() called with: model = $model")
                }
                .addOnFailureListener { failure ->
                    Log.d(TAG, "onFailure() called with: failure = $failure")
                }

Please note the real issue is when you run this code with API Key restrictions such as shown below.

[aguatno]

Hi @kabeer-uber sorry for getting back late. Our engineers are still looking for potential solution and we are doing anything what we can, but I can't make any promises as to when this will be fixed. We'll reach out to you as soon as there is an update on it. Internal Reference Bug#189321212.

[argzdev]

Closing since this has already been merged. Thanks!