1

I just added reCAPTCHA v3 to my project.

Also did all neccesery stuff at firebase, like allowed firebase App Check atc.

At this point I`m sending App Check token with cloud funtion, like here https://firebase.google.com/docs/app-check/cloud-functions

I allways get app token Valid. How can i test if it's invalid. Also why i added reCAPTCHA to firebase App Check? Is reCAPTCHA generating the App Token? I`m so confused after all day. Thank you for your answers.

Dima Malko
  • 227
  • 2
  • 19

1 Answers1

1

Recaptcha in this scenario is used to validate it's your web site making the call. Since this is using reCAPTCHA v3, your users won't even notice it is being used. It works invisibly to establish the identity of your app/site.

To test without a valid token, you can try to call the Cloud Function from any other web site, for example one where you didn't implement the reCAPTCHA.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • So this means, if some developer decides to call my onCall cloud function with bot multiple times, he will be rejected right? Because of validation token and reCAPTCHA? – Dima Malko Aug 19 '21 at 07:09
  • 1
    If their code is not running in your web site, it will indeed be rejected - as their request won't be signed with an App Check token that is valid for your project. – Frank van Puffelen Aug 19 '21 at 13:22