5

Following the tutorial here but when firebase app check is enforced all queries come back as denied

W/FirebaseProfileService: GET FAILED WITH com.google.firebase.firestore.FirebaseFirestoreException: PERMISSION_DENIED: Missing or insufficient permissions.

I have ran the app check in the main activity and it doesn't produce any errors.

fun appCheck(){
    FirebaseApp.initializeApp(this)
    val firebaseAppCheck = FirebaseAppCheck.getInstance()
    firebaseAppCheck.installAppCheckProviderFactory(
        PlayIntegrityAppCheckProviderFactory.getInstance()
    )
}

I can also see the request token in the logs.

I/PlayCore: UID: [] PID: [] IntegrityService : requestIntegrityToken(IntegrityTokenRequest{nonce=*****

I/PlayCore: UID: [] PID: [] IntegrityService : Initiate binding to the service.

I/PlayCore: UID: [] PID: [] IntegrityService : ServiceConnectionImpl.onServiceConnected(ComponentInfo{com.android.vending/com.google.android.finsky.integrityservice.IntegrityService})

I/PlayCore: UID: [] PID: [] IntegrityService : linkToDeath

W/Firestore: (24.1.2) [Firestore]: ********** failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}

"***" data has been omitted for privacy reasons

Is there any way to check AppCheck or PlayIntegrity errors? Cloud monitoring only seems to monitor cloud functions. As stated before, all queries and firestore rules work properly when AppCheck is not enforced.

There also doesn't seem to be any mention of where to specify the latest version of the app besides uploading a release to play store console. Do I have to upload a release for AppCheck to allow firestore queries?

Edit: Im leaning towards this being an issue with IAM roles.

David
  • 150
  • 10
  • Did you find any solution for this? I got the same issue. App already released to Google Play. – Binh Ho Jul 13 '23 at 04:01
  • 1
    AppCheck for Android continues to have issues. I would check here for solutions or report your issue: https://github.com/firebase/firebase-android-sdk – David Jul 21 '23 at 16:16

2 Answers2

3

This is the answer I got from Firebase Support. Apparently the app must be published before app check will work with play integrity. My chat with firebase:

Yes, it is necessary to have published the app in the Google Play Store, in order to have a valid SHA-256 fingerprint and then start validating the requests by PlayIntegrity. You can check this reference.

In your case, if the app is still in development, or in continuous integration, it would be better to use a debug token in the emulator.

David
  • 150
  • 10
-1

Check if your nonce is too short.

The value set in the nonce field must be correctly formatted:

String
URL-safe
Encoded as Base64 and non-wrapping
Minimum of 16 characters
Maximum of 500 characters
shooding
  • 128
  • 2
  • 9