Why does Angular Fire / Firebase Deny my Web App Check Request Even with the Debug Token Setup for Local Development?

huangapple go评论75阅读模式
英文:

Why does Angular Fire / Firebase Deny my Web App Check Request Even with the Debug Token Setup for Local Development?

问题

AngularFire / Firebase 调试令牌问题

在我的 app.module.ts:

import <各种导入>...

declare global {
  // eslint-disable-next-line no-var
  var FIREBASE_APPCHECK_DEBUG_TOKEN: boolean | string | undefined;
}

self.FIREBASE_APPCHECK_DEBUG_TOKEN = environment.appCheckDebug; // 设置为在 Firebase 控制台中与 App-Check 注册的 <debugToken>

@NgModule({
  declarations: [<组件声明>...],
  imports: [
    <ng 材料模块导入>..., 
    provideFirebaseApp(() => initializeApp(environment.firebaseConfig)),
    provideAppCheck(() =>
      initializeAppCheck(getApp(), {
        provider: new ReCaptchaV3Provider(environment.recaptchaSiteKey),
        isTokenAutoRefreshEnabled: true,
      })
    ),
    provideFirestore(() => getFirestore()),
    provideStorage(() => getStorage()),
    provideAnalytics(() => initializeAnalytics(getApp())),
    <serviceworker 模块>],
  providers:[],
  bootstrap:[AppComponent] 
})
export class AppModule{}

问题似乎是对 https://content-firebaseappcheck.googleapis.com/v1/projects/<projectId>/apps/<appId>:exchangeDebugToken?key=<firebaseAPIKey> 的 POST 请求。

请求体:

{"debug_token":"<debugToken>"}

响应:

{
  "error": {
    "code": 403,
    "message": "阻止来自引用者 http://localhost:8080/ 的请求。",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_HTTP_REFERRER_BLOCKED",
        "domain": "googleapis.com",
        "metadata": {
          "service": "firebaseappcheck.googleapis.com",
          "consumer": "projects/<redact>"
        }
      }
    ]
  }
}

当我尝试通过 Postman 发送带有 Firebase 主机 URL 的 Referer 标头的 POST 请求时,成功了。我以为调试令牌应该可以避免需要来自本地主机上项目 URL 的请求,所以我很困惑。

英文:

AngularFire / Firebase Debug Token Issues

In my app.module.ts:

import <various imports>...

declare global {
  // eslint-disable-next-line no-var
  var FIREBASE_APPCHECK_DEBUG_TOKEN: boolean | string | undefined;
}

self.FIREBASE_APPCHECK_DEBUG_TOKEN = environment.appCheckDebug; // set to <debugToken> that registered with App-Check in Firebase Console

@NgModule({
  declarations: [<component decs>...],
  imports: [
    <ng material module imports>..., 
    provideFirebaseApp(() => initializeApp(environment.firebaseConfig)),
    provideAppCheck(() =>
      initializeAppCheck(getApp(), {
        provider: new ReCaptchaV3Provider(environment.recaptchaSiteKey),
        isTokenAutoRefreshEnabled: true,
      })
    ),
    provideFirestore(() => getFirestore()),
    provideStorage(() => getStorage()),
    provideAnalytics(() => initializeAnalytics(getApp())),
    <serviceworker module>],
  providers:[],
  bootstrap:[AppComponent] 
})
export class AppModule{}

The issue seems to be a POST request to https://content-firebaseappcheck.googleapis.com/v1/projects/<projectId>/apps/<appId>:exchangeDebugToken?key=<firebaseAPIKey>

Request body:

{"debug_token":"<debugToken>"}

Response:

{
  "error": {
    "code": 403,
    "message": "Requests from referer http://localhost:8080/ are blocked.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_HTTP_REFERRER_BLOCKED",
        "domain": "googleapis.com",
        "metadata": {
          "service": "firebaseappcheck.googleapis.com",
          "consumer": "projects/<redact>"
        }
      }
    ]
  }
}

When I tried to add a Referer header using the Firebase hosting url through a postman POST request it was successful. I thought the debug token was supposed to get around needing the request to be from the project url on localhost, so I'm very confused.

答案1

得分: 0

参见第4个答案,涉及API密钥限制。这在我的情况下是原因。

英文:

https://stackoverflow.com/questions/69521649/how-to-use-firebase-app-check-in-react-403-error

See answer 4 regarding API key restriction. It was the cause in my case.

答案2

得分: 0

这是答案。我已经限制了我的API密钥,需要撤销限制。https://stackoverflow.com/questions/54072206/requests-for-referrer-are-blocked-when-trying-to-sign-in-anonymously-to-firebase

此外,我还遇到了这个问题,并通过以下方式解决了它:

你需要在客户端使用 await getToken() 并将其作为你的 X-Firebase-AppCheck 头部发送:

async getAppCheckToken(): Promise<string | AppCheckTokenResult | undefined> {
    try {
      info(this.appCheck);
      this.tokenResult = (await getToken(this.appCheck)).token; 
      info(this.tokenResult);
    } catch (err) {
      error(err);
    }
    return this.tokenResult;
  }

它将生成一个可以在 jwt.io 上检查的调试提供者 jwt,其载荷应该如下所示:

{
  "sub": "<appId>",
  "aud": [
    "projects/<project-number>",
    "projects/<project-name>"
  ],
  "provider": "debug",
  "iss": "https://firebaseappcheck.googleapis.com/<project-number>",
  "exp": 1684275518,
  "iat": 1684271918,
  "jti": "<jwt-uuid-redacted>"
}
英文:

This was the answer. I had restricted my API Key and needed to undo that. https://stackoverflow.com/questions/54072206/requests-for-referrer-are-blocked-when-trying-to-sign-in-anonymously-to-firebase

In addition to this I had issues with this question as well, resolved it with the following:

You need to use await getToken() in your client and send that as your X-Firebase-AppCheck header:

async getAppCheckToken(): Promise<string | AppCheckTokenResult | undefined> {
    try {
      info(this.appCheck);
      this.tokenResult = (await getToken(this.appCheck)).token; 
      info(this.tokenResult);
    } catch (err) {
      error(err);
    }
    return this.tokenResult;
  }

it will generate a debug provider jwt that you can check on jwt.io, it's payload should look like the following:

{
  "sub": "<appId>",
  "aud": [
    "projects/<project-number>",
    "projects/<project-name>"
  ],
  "provider": "debug",
  "iss": "https://firebaseappcheck.googleapis.com/<project-number>",
  "exp": 1684275518,
  "iat": 1684271918,
  "jti": "<jwt-uuid-redacted>"
}

huangapple
  • 本文由 发表于 2023年4月17日 02:54:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/76029752.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定