Reputation: 5158
Firebase AppCheck custom provider
Currently I'm trying to use a custom provider for AppCheck and according to documentation, this implementation can be used to verify other platforms than currently allowed, more specific:
- You want to verify devices using platforms other than Apple, Android, and the web. For example, you could create App Check providers for desktop OSes or Internet-of-Things devices.
Now since current SDK that supports AppCheck is Node.js, my question is:
- How can I create a custom AppCheck provider for non allowed platforms to generate a token?
More specific, I'm trying to implement AppCheck for non Google Android phones, HarmonyOS.
But, Node.js SDK currently has one method to be used: createToken(appId: string, options?: AppCheckTokenOptions) from where I should supply an appId, where this value is generated by Firebase when registering a new app:
In this case the app platform is compatible with Firebase (Android, iOS, web, etc). I can register as example a Google Android phone, but I can't register an IoT device, HarmonyOS phone, Tizen TV, etc.
How can I generate a new appId or how should be used createToken(...) method in those cases?
Also REST API documentation for AppCheck require appId.
Edit:
I've tested using same appId from a Google phone registered in console for a non Google phone and token can be used with enforced Firebase protected services, it works.
Also adding a debug token generated from a non Google phone to a registered Google phone in console it works, Firebase pass requests and response is received. But I think is not ok since a non Google phone impersonate a registered Google phone.
Upvotes: 2
Views: 819
Answers (1)
Reputation: 3234
Here is how I understand.
createToken() does require a valid appId, but appId doesn't need to be for Android; it can be Web, Unity, or Flutter, as long as it's correctly registered in your Firebase project. In other words, you can create a dummy Web app in your project and use its appId to create a token.
Note that createToken() is for creating the token itself, not verifying you are creating the token for the legitimate device or not; that responsibility falls on your shoulders.
Add to the endpoint logic that assesses the authenticity data. This is the core logic of your custom App Check provider, which you will need to write yourself.
If you determine the client to be authentic, use the Admin SDK to mint an App Check token and return it and its expiration time to the client.
Upvotes: 1
Related Questions
- Firebase AppCheck for Firebase Auth
- Firebase App Check rejecting all requests from Android devices
- Validate App check getToken for custom backend
- How to Integrate Firebase Appcheck in React Native?
- Using Firebase App Check is not working (debug)
- AppCheck fails on ios Simulator
- App check unwanted enforcement on Firebase callable functions
- Firebase Functions AppCheck keeps failing my device
- Firebase AppCheck failed to install using NativeScript
- PHONE_VERIFICATION_PROVIDER in Firebase AuthUI not woiking