Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Functions] Pass placeholder app check tokens on error #14467

Merged
merged 1 commit into from
Feb 19, 2025
Merged

[Functions] Pass placeholder app check tokens on error #14467

merged 1 commit into from
Feb 19, 2025

Conversation

ncooke3
Copy link
Member

@ncooke3 ncooke3 commented Feb 19, 2025
edited
Loading

Currently, the Functions SDK does not pass the App Check placeholder token for cases where the App Check integration fails to fetch an App Check token.

Before:
Screenshot 2025-02-18 at 7 21 58 PM

After:
Screenshot 2025-02-18 at 7 20 45 PM

@google-oss-bot
Copy link

1 Warning
⚠️ Did you forget to add a changelog entry? (Add #no-changelog to the PR description to silence this warning.)

Generated by 🚫 Danger

@paulb777
Copy link
Member

Could this be a breaking change for apps depending on the nil return?

@ncooke3 ncooke3 requested a review from andrewheard February 19, 2025 15:35
@ncooke3
Copy link
Member Author

ncooke3 commented Feb 19, 2025

Could this be a breaking change for apps depending on the nil return?

I don't think so. Here is my thinking: currently, returning nil means the App Check header won't be included. This currently happens when there is an App Check error. This PR will send the placeholder token for the App Check header in the cases where nil is returned. So, the net change will be a token is always sent. If the AppCheck integration is unenforced, there shouldn't be a difference since the presence of the token is not being enforced. If the AppCheck integration is enforced, there also shouldn't be a difference because no token or placeholder token are both not forms of valid tokens. For the backend, the difference will be it sees the placeholder token.

cc: @weixifan

@andrewheard
Copy link
Contributor

Could this be a breaking change for apps depending on the nil return?

I don't think so. Here is my thinking: currently, returning nil means the App Check header won't be included. This currently happens when there is an App Check error. This PR will send the placeholder token for the App Check header in the cases where nil is returned. So, the net change will be a token is always sent. If the AppCheck integration is unenforced, there shouldn't be a difference since the presence of the token is not being enforced. If the AppCheck integration is enforced, there also shouldn't be a difference because no token or placeholder token are both not forms of valid tokens. For the backend, the difference will be it sees the placeholder token.

That's my understanding as well. Based on these docs https://firebase.google.com/docs/app-check/monitor-functions-metrics I think devs will start seeing INVALID instead of MISSING. From what I can tell, devs would be using functionality provided by the Cloud Functions SDK (https://firebase.google.com/docs/app-check/cloud-functions), not manually writing it themselves.

andrewheard
andrewheard approved these changes Feb 19, 2025
View reviewed changes
Copy link
Contributor

@andrewheard andrewheard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Nick! This LGTM from a Swift perspective. I'll ping Victor on Chat just to double check if that there's no reason to hold off on merging.

@ncooke3 ncooke3 merged commit 918d77d into main Feb 19, 2025
43 checks passed
@ncooke3 ncooke3 deleted the nc/functions-cleanup branch February 19, 2025 17:17
@weixifan
Copy link

weixifan commented Feb 19, 2025
edited
Loading

Thanks, Nick! This LGTM from a Swift perspective. I'll ping Victor on Chat just to double check if that there's no reason to hold off on merging.

Just as a future record of what we discussed: Nick's reasoning is correct; this is safe to merge. Thank you Nick for the fix!

@github-actions github-actions bot mentioned this pull request Feb 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulb777 paulb777 paulb777 approved these changes

@andrewheard andrewheard andrewheard approved these changes

Assignees
No one assigned
Labels
api: functions
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ncooke3 @google-oss-bot @paulb777 @andrewheard @weixifan