英文:
Firebase App Check and reCAPTCHA v3 Enterprise Integration: Billing and Token Reusability
问题
I'm attempting to secure a self-hosted backend for a web app using Firebase App Check with reCAPTCHA v3 Enterprise as the attestation provider, and I have some questions regarding the billing structure for this setup.
当我仅使用reCAPTCHA v3时,标准流程是在客户端上通过grecaptcha.execute进行挑战,检索一个令牌,然后将其发送到后端。然后,后端通过API请求验证令牌是否有效,从reCAPTCHA的服务器收费。根据reCAPTCHA Enterprise的定价页面,我了解到每次在后端验证令牌时都会收费。
相比之下,使用Firebase App Check的流程似乎略有不同。在这里,客户端通过Firebase App Check与reCAPTCHA v3互动,并以令牌的形式接收“认证”。然后,客户端将此令牌发送到我的后端,我的后端通过向Firebase的服务器发出请求来验证令牌的有效性。此外,Firebase App Check令牌具有可配置的过期时间,并且可以重复使用,还有启用重放保护的选项。
鉴于此,我不清楚当Firebase App Check与reCAPTCHA v3集成时计费方式如何。具体来说,我想知道:
1)每当Firebase App Check发出一个令牌时,我是否会被收费,还是仅在我在后端验证由Firebase App Check发出的令牌的有效性时才会被收费?
2)与传统的reCAPTCHA v3方法相比,Firebase App Check中重复使用令牌的能力是否有可能降低成本,其中令牌不会被重复使用?
对于这些问题的任何见解将不胜感激。
英文:
I'm attempting to secure a self-hosted backend for a web app using Firebase App Check with reCAPTCHA v3 Enterprise as the attestation provider, and I have some questions regarding the billing structure for this setup.
When only using reCAPTCHA v3, the standard process is to programmatically invoke a challenge on the client side using grecaptcha.execute, retrieve a token, and then send it to the backend. The backend subsequently verifies the token via an API request to reCAPTCHA's servers. My understanding from the reCAPTCHA Enterprise's pricing page is that I am billed each time I verify a token in the backend.
In contrast, the flow with Firebase App Check appears to be slightly different. Here, the client interacts with reCAPTCHA v3 through Firebase App Check and receives an "attestation" in the form of a token. The client then sends this token to my backend, and my backend verifies the token's validity by making a request to Firebase's servers. Additionally, Firebase App Check tokens have a configurable expiration time and can be reused, with an option to enable replay protection.
Given this, I'm unclear about how the billing works when Firebase App Check is integrated with reCAPTCHA v3. Specifically, I'm wondering:
- Am I billed each time Firebase App Check issues a token, or only when I verify the validity of a token issued by Firebase App Check in my backend?
- Does the ability to reuse tokens in Firebase App Check potentially reduce costs compared to the traditional reCAPTCHA v3 method where tokens are not reused?
Any insight into these questions would be greatly appreciated.
答案1
得分: 4
Firebaser在此,感谢您的问题。
回答您的两个问题:
- 当在后端验证App Check令牌时,您不会被收费。App Check不会向您收费,而是reCAPTCHA Enterprise会在代表您调用
assessment.create()时向您收费,这会在App Check令牌的TTL约过去50%的时候发生(如果您在没有重播保护的情况下使用App Check)。如果您使用带有重播保护的App Check,每次访问受保护的后端时都需要获取新的App Check令牌,这将导致每次都会调用assessment.create(),可能会增加与没有重播保护相比创建的评估数量。因此,我们建议您仅在访问量较低的最安全敏感的端点上使用重播保护。 - 是的,这种权衡是一个故意的特性。使用App Check的传统安全模型(即,没有重播保护)时,我们为了重用相同的App Check令牌而放弃了一定程度的安全性,您可以配置其TTL。每次刷新只调用一次
assessment.create(),但请注意,App Check SDK被设计为在App Check令牌的TTL约过去50%时主动刷新令牌(实际上以大约两倍于配置的TTL的速度刷新)。您可以在Firebase控制台中调整此TTL。
如果您对更详细的回答感兴趣,包括与新的重播保护功能的交互,请参见以下内容。
我注意到您的帖子提到了reCAPTCHA v3和reCAPTCHA Enterprise,因此让我们首先注意它们之间的区别:
- reCAPTCHA v3是免费的,每月可进行1,000,000次评估,如果要超过这个限制,您必须迁移到reCAPTCHA Enterprise或申请豁免,需要经批准。它也没有支持或SLA。
- reCAPTCHA Enterprise在每月1,000,000次调用之内是免费的,之后按成本计费。您正确地指出,您的服务器调用
assessments.create的确切次数决定了您的费用金额。它还包括基本支持和99.9%以上的可用性SLA。
在我的回答其余部分,我将假设您在帖子中指的是reCAPTCHA Enterprise(而不是reCAPTCHA v3)。
让我们讨论使用reCAPTCHA Enterprise作为您的证明提供者的App Check。基本的客户端流程(不包括重播保护)如下:
- 您的应用程序使用App Check SDK在后台管理一个App Check令牌。
- 在App Check令牌过期之前,将自动刷新令牌,使用以下令牌交换过程。(请注意:App Check SDK被设计为在App Check令牌的TTL约过去50%时刷新App Check令牌。在估算您的应用程序将创建评估的次数时,请记住这一点。)
- 调用
grecaptcha.enterprise.execute()以获取reCAPTCHA Enterprise令牌。 - 将此reCAPTCHA Enterprise令牌发送到App Check服务器。
- App Check服务器代表您调用
assessment.create()并读取评估,以确保reCAPTCHA Enterprise令牌有效。 - 如果有效,将创建并返回新的App Check令牌给SDK。
- 调用
- 每当您的应用程序需要向受App Check保护的后端端点发送请求时,您可以从App Check SDK中检索当前的App Check令牌,并将其与请求一起发送(通常作为标头
X-Firebase-AppCheck)。如果您的应用程序使用官方Firebase SDK与受App Check保护的Firebase后端通信,此步骤将自动完成。
这意味着App Check(不包括重播保护)基本上采用了基于会话的模型,其中有效的App Check令牌是已验证的应用程序会话的证明,并且只要它未过期,就是有效的。
接下来,让我们讨论基本的服务器端流程。我们建议您使用Firebase Admin SDK执行以下步骤。
- 您的服务器接收来自您的应用程序的请求以及App Check令牌。
- 您的服务器使用Admin SDK验证App Check令牌。此步骤不需要将令牌发送到App Check后端(但它会定期从App Check服务器检索公共密钥,由Admin SDK自动处理)。对您来说,此特定的App Check令牌验证是免费的。
通过使用App Check的基于会话的模型,您在多个因素之间进行了权衡,与直接集成reCAPTCHA Enterprise相比。在下面的列表中,我们列出了您应该考虑的所有方面:
- 安全性。请注意,与reCAPTCHA Enterprise的直接集成将具有内置的重播保护。也就是说,当为相同的reCAPTCHA Enterprise令牌创建两个不同的评估时,第二个评估将显示为无效。
- 配额和计费。通过放弃reCAPTCHA Enterprise令牌的内在重播保护,您可以根据流量模式的不同来减少创建的评估数量。无论用户在App Check令牌达到刷新
英文:
Firebaser here, and thanks for this question.
To answer your two questions,
- You are not billed when validating App Check tokens in your backend. App Check does not bill you—reCAPTCHA Enterprise does. They will bill you only when App Check calls
assessment.create()on your behalf, which occurs when around 50% of an App Check token's TTL has elapsed (if you are using App Check without Replay Protection). If you are using App Check with Replay Protection, you will need to obtain a new App Check token every single time you want to access your protected backend, which in turn meansassessment.create()will be invoked every single time, potentially increasing the number of assessments created compared to no Replay Protection. We therefore recommend that you use Replay Protection only on your most security-sensitive endpoints that are accessed at lower volumes. - Yes, this trade-off is a deliberate feature. With App Check's traditional security model (i.e., without Replay Protection), we are forfeiting a degree of security in exchange for reusing the same App Check token throughout a TTL that you can configure. Only one
assessment.create()is called per refresh, but keep in mind that the App Check SDK is designed to eagerly refresh the token when approximately 50% of the TTL has elapsed (effectively refreshing at about twice the rate of your configured TTL). You can adjust this TTL in the Firebase console.
If you are interested in a more detailed response, including interactions with the new Replay Protection feature, please see below.
I noticed that your post mentions both reCAPTCHA v3 and reCAPTCHA Enterprise, so let's start by noting that there is a difference between them:
- reCAPTCHA v3 is free and has a 1,000,000 monthly limit on the number of assessments you can make, and to exceed that limit, you must either migrate to reCAPTCHA Enterprise or apply for an exemption, subject to approval. It also has no support or SLAs.
- reCAPTCHA Enterprise is free up to 1,000,000 monthly calls, and at-cost beyond that. You are correct in that the exact number of times your server calls
assessments.createis what determines the amount you are billed. It also includes Basic Support and a 99.9%+ uptime SLA.
For the remainder of my response, I will assume that you are referring to reCAPTCHA Enterprise (and not reCAPTCHA v3) in your post.
Let's discuss App Check with reCAPTCHA Enterprise as your attestation provider. The basic client-side flow (without Replay Protection) is as follows:
- Your application uses the App Check SDK to manage an App Check token in the background.
- Before the App Check token expires, the token will be automatically refreshed using the following token exchange procedure. (Note: the App Check SDK is designed to refresh the App Check token when about 50% of its TTL has elapsed. Keep this in mind when estimating the number of times your application will create assessments.)
- Call
grecaptcha.enterprise.execute()to get a reCAPTCHA Enterprise token. - This reCAPTCHA Enterprise token is sent to the App Check server.
- The App Check server calls
assessment.create()on your behalf and reads the assessment to ensure that the reCAPTCHA Enterprise token is valid. - If valid, a new App Check token is created and returned to the SDK.
- Call
- Whenever your application needs to send a request to an App Check protected backend endpoint, you can retrieve the current App Check token from the App Check SDK and send it along with the request (usually as the header
X-Firebase-AppCheck). If your application is using an official Firebase SDK to communicate with an App Check protected Firebase backend, this step is automatically done for you.
What this means is that App Check (without Replay Protection) essentially employs a session-based model, where a valid App Check token is the proof of an attested app session, and it is valid as long as it has not expired.
Next, let's talk about the basic server-side flow. We recommend that you use the Firebase Admin SDK to perform the following steps.
- Your server receives a request from your application along with an App Check token.
- Your server validates the App Check token using the Admin SDK. This step does not require sending the token to the App Check backend (but it does retrieve the public keys from the App Check servers once in a while, which is handled automatically by the Admin SDK). This specific App Check token validation is at no cost to you.
By using App Check's session-based model, you are making a trade-off between multiple factors compared to a direct integration with reCAPTCHA Enterprise. Here we list all the dimensions that you should consider:
- Security. Note that a direct integration with reCAPTCHA Enterprise will have built-in replay protection. That is, when two separate assessments are created for the same reCAPTCHA Enterprise token, the second one would show up as invalid.
- Quota and billing. What you gain by forfeiting the intrinsic replay protection of reCAPTCHA Enterprise tokens is a potential decrease in the number of assessments created, depending on your traffic patterns. No matter how many times the user needs to access your protected backend before the App Check token reaches the refresh point, that user only needs 1 assessment.
- Performance. Since attestation provider handshakes are not free to run, they can impact performance, especially on mobile devices. By using App Check tokens in a background refresh, the on-device latency just before a protected action is made is eliminated.
- Federated providers. Since App Check sits in between the attestation provider and your server as a federated abstraction layer, your server no longer needs to worry about validating tokens from different attestation providers. It only needs to understand one kind of token: App Check tokens. This means you can program your server to serve all platforms with the same code (e.g., Web, Android devices, and Apple devices). The App Check server and SDKs will handle the token exchange process. If none of the out-of-the-box attestation providers work for your intended platform, you can even set up your own custom provider.
The trade-off on some of these factors can also be adjusted by increasing or decreasing the App Check token's TTL.
So far we've talked about the traditional session-based model, but as you have rightly pointed out, we recently launched the new Replay Protection feature. This new feature uses an entirely different model, one that's very similar to a direct integration with reCAPTCHA Enterprise: every call to a Replay Protected endpoint must invoke a fresh attestation. By definition, in the trade-off list above, we've made the choice to be as secure as possible while sacrificing performance and billing, but note that crucially the federation advantage remains. Another key difference is that, unlike the traditional session-based model, the Admin SDK will need to contact the Firebase App Check backend to verify that the token has not been previously consumed. However, even so, this verification is still at no cost to you.
This feature is available now on Cloud Functions for Firebase as well as your own backends. We recommend that developers use this feature to protect only their most security-sensitive endpoints that are accessed at lower volumes, since it can potentially create more assessments than App Check's traditional model (because every call requires a new assessment, just like a direct integration with reCAPTCHA Enterprise).
[Edited to fix some omissions.]
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论