Description
I'm using firebase functions to build my system, I want to add extra layers of security to avoid brute force attacks and others and the app check mechanism looked like a nice solution
BUT IT DOESN'T WORK
i did everything writter in here:
https://firebase.google.com/docs/app-check/cloud-functions
https://firebase.google.com/docs/app-check/web/recaptcha-enterprise-provider
my function looks like:
exports.test= functions.runWith({ timeoutSeconds: 30, memory: '128MB', enforceAppCheck: true }).https.onCall(async (data, context) => { console.log(JSON.stringif(data)); console.log(JSON.stringif(context)); });
but yet it doesn't work
i can open postman or any other rest request maker put the function url and just post anything like
{
"data" : { "foo" : {}, "bar" : "bar"}
}
no headers, just a post as this with the right url and the request goes through...
wasn't enforceAppCheck: true supposed to ban the random requests like this? if i look the function logs i even get a log like this:
{
insertId: "6438df00000d1c3cc2e2d44e"
jsonPayload: {
message: "Callable request verification passed"
verifications: {
app: "MISSING"
auth: "MISSING"
}
}
labels: {3}
logName: "projects/qe/logs/cloudfunctions.googleapis.com%2Fcloud-functions"
receiveTimestamp: "2023-04-14T05:05:04.982509106Z"
resource: {2}
severity: "INFO"
timestamp: "2023-04-14T05:05:04.859196Z"
}
"Callable request verification passed"
what verification? it was literally a random request
after this log line i get 2 more lines printing the stuff i put in the function the context shows that context.app == null and context.auth == null
doesn't this app verification works for nothing? is firebase letting people randomly brute-force our functions?