Search code examples
node.jsfirebase-realtime-databasegoogle-cloud-functionsfirebase-adminfirebase-app-check

firebase - App Check fails when accessing database from callable cloud function

I recently enabled App Check for my firebase app and enforced it on both my cloud functions and database. The cloud function workflow is behaving correctly. However, I can no longer access the database from the function. A minimal version of my callable function looks something like this:

exports.myFunc = functions.https.onCall(async (data, context) => {
  const adminApp = admin.initializeApp();
  const ref = adminApp.database().ref('some-node');
  
  if (context.app === undefined) {
    throw new functions.https.HttpsError(
      'failed-precondition',
      'The function must be called from an App Check verified app.',
    );
  }

  try {
    return (await ref.orderByKey().equalTo('foo').get()).exists()
  } catch(exc) {
    console.error(exc);
  }
});

This used to work before App Check, but now it fails and I see this in the logs:

@firebase/database: FIREBASE WARNING: Invalid appcheck token (https://my-project-default-rtdb.firebaseio.com/) Error: Error: Client is offline.

Seems like I need to do something extra to get the admin app to pass App Check verification down to the database, but I haven't been able to find any documentation on this yet. I also tried using the app instance from functions.app.admin instead of initializing a new one, but this didn't help.

I have the latest version of the packages:

"firebase-admin": "^9.10.0"
"firebase-functions": "^3.14.1"
Solution

  • firebaser here

    The behavior you're seeing is not how it's supposed to work, and we've been able to reproduce it. Thanks for the clear report, and sorry you encountered this.

    If you (re)install the Firebase Admin SDK today, you won't be experiencing this same problem as we've fixed the problem in the @firebase/database dependency (in this PR).

    If you're (still) experiencing the problem, you can check if you have the correct @firebase/database dependency by running:

    npm ls @firebase/database

    results look something like this:

    temp-admin@1.0.0 /Users/you/repos/temp-admin
└─┬ firebase-admin@9.11.0
  └── @firebase/database@0.10.8

    If your @firebase/database version is lower than 0.10.8, you'll have to reinstall the Admin SDK, for example by deleting your node_modules directory and your package-lock.json file and running npm install again. This may also update other dependencies.