Reputation: 170
Firebase App check denied all queries for Firestore in Android
Following the tutorial here but when firebase app check is enforced all queries come back as denied
W/FirebaseProfileService: GET FAILED WITH com.google.firebase.firestore.FirebaseFirestoreException: PERMISSION_DENIED: Missing or insufficient permissions.
I have ran the app check in the main activity and it doesn't produce any errors.
fun appCheck(){
FirebaseApp.initializeApp(this)
val firebaseAppCheck = FirebaseAppCheck.getInstance()
firebaseAppCheck.installAppCheckProviderFactory(
PlayIntegrityAppCheckProviderFactory.getInstance()
)
}
I can also see the request token in the logs.
I/PlayCore: UID: [] PID: [] IntegrityService : requestIntegrityToken(IntegrityTokenRequest{nonce=*****
I/PlayCore: UID: [] PID: [] IntegrityService : Initiate binding to the service.
I/PlayCore: UID: [] PID: [] IntegrityService : ServiceConnectionImpl.onServiceConnected(ComponentInfo{com.android.vending/com.google.android.finsky.integrityservice.IntegrityService})
I/PlayCore: UID: [] PID: [] IntegrityService : linkToDeath
W/Firestore: (24.1.2) [Firestore]: ********** failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}
"***" data has been omitted for privacy reasons
Is there any way to check AppCheck or PlayIntegrity errors? Cloud monitoring only seems to monitor cloud functions. As stated before, all queries and firestore rules work properly when AppCheck is not enforced.
There also doesn't seem to be any mention of where to specify the latest version of the app besides uploading a release to play store console. Do I have to upload a release for AppCheck to allow firestore queries?
Edit: Im leaning towards this being an issue with IAM roles.
Upvotes: 6
Views: 1492
Answers (2)
Reputation: 148
Check if your nonce is too short.
The value set in the nonce field must be correctly formatted:
String
URL-safe
Encoded as Base64 and non-wrapping
Minimum of 16 characters
Maximum of 500 characters
Upvotes: -1
Reputation: 170
This is the answer I got from Firebase Support. Apparently the app must be published before app check will work with play integrity. My chat with firebase:
Yes, it is necessary to have published the app in the Google Play Store, in order to have a valid SHA-256 fingerprint and then start validating the requests by PlayIntegrity. You can check this reference.
In your case, if the app is still in development, or in continuous integration, it would be better to use a debug token in the emulator.
Upvotes: 4
Related Questions
- Firebase App Check rejecting all requests from Android devices
- Сan't get data from Firestore, no errors
- Firebase App Check prevents Firestore unlimited requests?
- Firestore query is not being executed
- Firebase: No matching allow statements
- Firestore query cache
- Kotlin Firestore Queries Issue
- Firebase firestore permission denied in Kotlin
- Cloud Firestore error while trying to retrieve List
- Firestore query permission denied