Skip to content

v2 onRequest does not enforce AppCheck #1474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AmitMY opened this issue Oct 23, 2023 · 4 comments · Fixed by #1477
Closed

v2 onRequest does not enforce AppCheck #1474

AmitMY opened this issue Oct 23, 2023 · 4 comments · Fixed by #1477

Comments

@AmitMY
Copy link
Contributor

AmitMY commented Oct 23, 2023

Related issues

#1377

[REQUIRED] Version info

"firebase-admin":
"firebase-functions":

node: v18.15.0

firebase-functions: "4.4.1",

firebase-tools: 12.5.4

firebase-admin: "11.11.0",

[REQUIRED] Test case

import {onRequest} from 'firebase-functions/v2/https';

onRequest({enforceAppCheck: true}, (req, res) => res.status(200).end());

[REQUIRED] Steps to reproduce

Set up a cloud function using v2 onRequest, with enforceAppCheck: true

[REQUIRED] Expected behavior

Calling the function (locally or when deployed) with the HTTP request should be blocked if no app check token is available

[REQUIRED] Actual behavior

Function works fine, same as #1377 without any token

Were you able to successfully deploy your functions?

yes
@Berlioz
Copy link
Contributor

Berlioz commented Oct 25, 2023

The just-add-water AppCheck integration is for callable functions, i.e ones created with onCall(), not onRequest(). As a workaround you can import the firebase-admin SDK and verify the X-Firebase-AppCheck header yourself. (If you use vscode or something else with typescript autocomplete, you'll see that enforceAppCheck is only a defined property on CallableOptions, not HttpsOptions).

@Berlioz Berlioz closed this as completed Oct 25, 2023
AmitMY added a commit to AmitMY/firebase-functions that referenced this issue Oct 27, 2023
@AmitMY
fixes firebase#1474: remove enforceAppCheck from HttpsOptions
7658ec4
@AmitMY AmitMY mentioned this issue Oct 27, 2023
Merged
@AmitMY
Copy link
Contributor Author

AmitMY commented Oct 27, 2023
edited
Loading

I am using WebStorm, and indeed it does show enforceAppCheck as an option for HttpsOptions
image
image

I think this is a bug then, specifically here:

firebase-functions/src/v2/providers/https.ts

Line 52 in 3e7a4b7

export interface HttpsOptions extends Omit<GlobalOptions, "region"> {

Fixed in: #1477

github-merge-queue bot pushed a commit that referenced this issue Aug 26, 2024
@AmitMY @taeold
fixes #1474: remove enforceAppCheck from HttpsOptions (#1477)
11808f2 
* fixes #1474: remove enforceAppCheck from HttpsOptions

* Add changelog.

---------

Co-authored-by: Daniel Lee <danielylee@google.com>
Co-authored-by: Daniel Lee <taeold@gmail.com>
@riccardocescon
Copy link

I am using firebase-functions v6.1.1. by adding enforceAppCheck: true on my onRequest function will not enforce the app check, all requests will be accepted

@davidpinosp
Copy link

Me too. I am using v6.3.0 and it doesnt work. It seems like its an error from inheriting from Global Functions which includes the enforceAppCheck flag

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixes #1474: remove enforceAppCheck from HttpsOptions AmitMY/firebase-functions
4 participants
@Berlioz @AmitMY @riccardocescon @davidpinosp