Enforcing AppCheck on Firebase Realtime Database has no effect
Question
I have a webpage which receives data from a realtime database using the following javascript code:
firebase.initializeApp(fbConfig); firebase.appCheck().activate('6LdKHhMbAAAAAHeIcmY17pO7tccNzVcT6OkyvOPr'); firebase.database().ref('/feed').on('value', (snapshot) => { console.log(snapshot.val()); }
AppCheck is enforced for the realtime database with reCAPTCHA configured. But even without the appCheck().activate() line, the page is able to receive data. Seems that the app check functionality has not effect.
The purpose should be that only real (anonymous) users, having a good reCAPTCHA score are able to receive the data.
Any idea what is missing here. I expected that the page will not be able to get data once App Check is enforced, if it is not activating with the correct shared code. But there seems to be missing something here. For this read-only application no token (as from grecaptcha.execute()) is send to my server in some way, there is no request going to my on server, like it would be the case if forms are submitted. Firebase seems to have no setting to steer which reCAPTCHA ratting is needed.
1 answers
solution1
4 ACCPTED 2021-06-08 18:03:49
firebaser here
Since we would need more information from you in order to help you debug this issue, could you please reach out to Firebase support directly for personalized help in troubleshooting? You can then report back your case ID so I can take a look.
[Edit: Thanks for filing the case with us. I have added the answer below.]
The root cause is that your RTDB instance is in a non-US location. Currently this is unsupported by App Check but we are adding App Check support for non-US RTDB instances very soon. I will post here to let folks know when this is supported.
[Second Edit: We plan to release App Check support for non-US RTDB instances next week, the week of 2021-06-21. Stay tuned for another update next week.]
Final edit: App Check now supports non-US RTDB instances. It should work for you now. Thank you for bringing this to our attention!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.