App check - App attestation failed response

[erangamapa]

[REQUIRED] Describe your environment

• Operating System version: Mac OS Catalina
• Browser version: Chrome/Firefox
• Firebase SDK version: 8.7.1
• Firebase Product: app-check

[REQUIRED] Describe the problem

I can see in the request to ontent-firebaseappcheck.googleapis.com i am sending recaptcha_token in payload but I am getting 403 with following response. However other features from firebase works perfectly.

{ "error": { "code": 403, "message": "App attestation failed.", "status": "PERMISSION_DENIED" } }

Steps to reproduce:

1. Created reCaptcha account and got a public key and secret key for my domain.
2. Set secret key in firebase admin console app check (beta) section properly. (did not enforece it)
3. Enabled app check in my web app using js sdk (typescript).
4. Load the web app in chrome/safari.

Relevant Code:

// Firebase App (the core Firebase SDK) is always required and must be listed first
import 'firebase/app';
import 'firebase/app-check';
import 'firebase/analytics';
import 'firebase/auth';
import 'firebase/firestore';

import firebase from 'firebase/app';
import { authStateObserver } from 'materialbet-auth-utils/lib/userState';

// If you are using v7 or any earlier version of the JS SDK, you should import firebase using namespace import
// import * as firebase from "firebase/app"

// If you enabled Analytics in your project, add the Firebase SDK for Analytics
// import "firebase/analytics";

// Add the Firebase products that you want to use
//import "firebase/firestore";

// TODO: Replace the following with your app's Firebase project configuration
// For Firebase JavaScript SDK v7.20.0 and later, `measurementId` is an optional field
const firebaseConfig = {
    apiKey: FIREBASE_API_KEY,
    authDomain: AUTH_DOMAIN,
    projectId: FIREBASE_PROJECT_ID,
    storageBucket: FIREBASE_STORAGE_BUCKET,
    messagingSenderId: FIREBASE_MESSAGING_SENDER_ID,
    appId: FIREBASE_APP_ID,
    measurementId: FIREBASE_MEASUREMENT_ID || undefined,
    databaseURL: FIREBASE_DATABASE_URL //Mainly for flamelink and other future usages
};

// Initialize Firebase
export const setupFirebase = () => {
    const instance = firebase.initializeApp(firebaseConfig);

    //Activate app check to control abusing of apis. Currently for rtdb to use with flamelink.
    if (ENABLE_FIREBASE_APP_CHECK) {
        firebase.appCheck().activate(FIREBASE_APP_CHECK_RECAPTCHA_PUBLIC_KEY);
    }

    // Register anything that needs to be registered immediately after initialization
    instance.auth().onAuthStateChanged(authStateObserver);
    if (FIREBASE_MEASUREMENT_ID) {
        firebase.analytics();
    }
    return instance;
};

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[looptheloop88]

Hi @erangamapa, thanks for the report and patiently waiting. Are you able to replicate this issue consistently when registering an app or creating a new reCAPTCHA?

I tried replicating the issue, but I wasn't able to. By any chance, are you running under localhost or your app is deployed to hosting? Please make sure that all the settings that you're using are correct, especially the keys and domains.

[erangamapa]

@looptheloop88 Tried both localhost and hosting in two different domains with all the domains correctly configured with captcha including localhost. Did this even before asking from you guys and error still appeared. But did not try with different captcha account. However my domains listed under two captcha accounts. One for a different purpose and other i created specifically for app check and I do not think thats a problem. I also created a minimal example and tried that as well but issue still persists. Here is the gist https://gist.github.com/erangamapa/c9eccac208549ef8a1d41791baa073a0 I dont think credentials are wrong because other services works for example i am getting data from flame link successfully just that app check fails.

[erangamapa]

I figured out the issue. I was using v2 captcha instead of v3 as only v3 is supported for api calls. Hence closing this.