-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(app-check)!: update activate()
to be able to choose android app attest provider. Support Play Integrity provider. Deprecate Safety Net provider
#9646
Conversation
private final String TAG = "FLTAppCheckPlugin"; | ||
|
||
private final String debugProvider = "debug"; | ||
private final String safetyNetProvider = "safetyNet"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's deprecated, shouldn't we just remove it from this release? If a developer still wants to use it, they'll keep using the previous version?
So we can keep the previous API (debug or not) and just make breaking the type of provider?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be great to have this. Current recommandations from firebase communication team is to ship new apps with this and safety net is marked as deprecated. Doesn't make sense to not have it. If app check is available on flutter we must have PlayIntegrity. Well TBH i'll launch a brand new app soon and I'd like to have it. :D
Should also close #9050 |
activate()
to be able to choose android app attest provider. Now includes Play Integrity provider.activate()
to be able to choose android app attest provider. Now includes Play Integrity provider. Deprecate Safety Net provider
activate()
to be able to choose android app attest provider. Now includes Play Integrity provider. Deprecate Safety Net provideractivate()
to be able to choose android app attest provider. Support Play Integrity provider. Deprecate Safety Net provider
when can we expect this to be released? |
// TODO: Since App Check is a beta SDK it's not available in the Firebase Android BoM so we need to specify an exact version here. | ||
implementation 'com.google.firebase:firebase-appcheck-safetynet:16.0.2' | ||
implementation 'com.google.firebase:firebase-appcheck-debug:16.0.2' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// TODO: Since App Check is a beta SDK it's not available in the Firebase Android BoM so we need to specify an exact version here. | |
implementation 'com.google.firebase:firebase-appcheck-safetynet:16.0.2' | |
implementation 'com.google.firebase:firebase-appcheck-debug:16.0.2' | |
// TODO: Since App Check is a beta SDK it's not available in the Firebase Android BoM so we need to specify an exact version here. | |
implementation 'com.google.firebase:firebase-appcheck-safetynet:16.0.2' | |
implementation 'com.google.firebase:firebase-appcheck-debug:16.0.2' |
Is this still needed with the TODO, are the versions in the BoM now - can address separate PR if need be, just checking :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess they are still needed as build fails due to missing symbols from those packages: https://github.com/firebase/flutterfire/actions/runs/3313899595/jobs/5472489288
This reverts commit 4570e78.
Testing the new version of the app_check package using the Play Integrity API as default, we could see that quite a few more devices would be blocked than if we used the Safety Net provider. This is probably a good thing in the longer run for security, but might lead to lots of angry users if the Play Integrity API verdicts are not also supported. To make sure users get the right feedback, I think it would be important that the flutter app_check SDK allows for listening to the optional Integrity API device_recognition_verdit responses (https://developer.android.com/google/play/integrity/verdict):
This will make it possible to provide users with the right information on why the app they have been using is suddenly not working anymore. |
Description
Breaking change. I've changed the API so that the android Play Integrity provider is the default. There's now an
AndroidProvider
enum to select the specific provider you wish in theactivate()
API. API now looks like this:AndroidProvider
options:Edit: I've updated so now Play Integrity is the default provider.
Here's a screenshot whilst using the new API. The "unverified: invalid requests" are from using the Play Integrity provider (we don't have an app in the Play Store so this was the next best thing 😓). I also tested the debug provider which you can see from the "verified requests":
I've also updated the App Check example to use "flutterfire-e2e-tests" Firebase projects across all platforms,and updated this issue:
#9643
Related Issues
closes #9178
Checklist
Before you create this PR confirm that it meets all requirements listed below by checking the relevant checkboxes (
[x]
).This will ensure a smooth and quick review process. Updating the
pubspec.yaml
and changelogs is not required.///
).melos run analyze
) does not report any problems on my PR.Breaking Change
Does your PR require plugin users to manually update their apps to accommodate your change?