Skip to content

Add an option to disable rejection of requests with invalid App Check token for callable functions. #989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 14, 2021
Merged

Add an option to disable rejection of requests with invalid App Check token for callable functions. #989

merged 4 commits into from
Oct 14, 2021

Conversation

taeold
Copy link
Contributor

@taeold taeold commented Oct 12, 2021

Since releasing App Check integration for Callable Functions, we've received several requests from our users to make it possible turn App Check enforcement off. By default, if a request includes an App Check token, callable functions will verify the token, and - if the token is invalid - reject the request. This makes it hard for developers to onboard to App Check, especially for developers that want to "soft launch" App Check integration to measure the App Check enforcement would have on its users.

The change here adds a runWith option to allow requests with invalid App check token to continue to user code execution, e.g.

exports.yourCallableFunction = functions.
  .runWith({
    allowInvalidAppCheckToken: true  // Opt-out: Invalid App Check token cont. to user code.
  }).
  .https.onCall(
  (data, context) => {
    // Requests with an invalid App Check token are not rejected.
    //
    // context.app will be undefined if the request:
    //   1) Does not include an App Check token
    //   2) Includes an invalid App Check token
    if (context.app == undefined) {
      // Users can manually inspect raw request header to check whether an App Check
      // token was provided in the request.
      const rawToken = context.rawRequest.header['X-Firebase-AppCheck'];
      if (rawToken == undefined) {
        throw new functions.https.HttpsError(
            'failed-precondition',
            'The function must be called from an App Check verified app.'
        );
      } else {
        throw new functions.https.HttpsError(
            'unauthenticated',
            'Provided App Check token failed to validate.'
        );
      }
    },
  }
);

@taeold taeold requested review from inlined and colerogers October 12, 2021 21:54
@google-cla google-cla bot added the cla: yes label Oct 12, 2021
inlined
inlined approved these changes Oct 13, 2021
View reviewed changes
Copy link
Member

@inlined inlined left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though it's an HTTPS-only feature, I wonder if the v2 API should support allowInvalidAppCheckToken in GlobalOptions. It just feels like the kind of things people are going to want to turn on or off globally.

@taeold
Copy link
Contributor Author

taeold commented Oct 14, 2021

@inlined That's a great idea. I'm going to strip v2 related changes in this PR to give that idea a bit more time to develop.

@taeold taeold merged commit 63bd14d into master Oct 14, 2021
@taeold taeold deleted the dl-disable-appcheck branch October 14, 2021 22:21
@taeold taeold mentioned this pull request Feb 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inlined inlined inlined approved these changes

@colerogers colerogers Awaiting requested review from colerogers

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@taeold @inlined