🐛 [firebase_app_check] [WEB] Can't use Flutter Web with App Check for Authentication enforced. User logs out on initial page load. #11828

Open drklrd56 opened 8 months ago

drklrd56 commented 8 months ago

Bug report

Describe the bug

When enforcing App Check for Authentication on Firebase, I can connect my Flutter App and login users using phone authentication.

After the user logs in a Flutter web application with App Check for authentication enforced and I close the task and revisit the web app I get a 401 error on initial page load:***************** 401

User credentials are cleared from local storage on 401 and the user has to login again on every visit/ initial page load.

Note: The is no delay between page visits.

Here's a video of the flutter web app behavior deployed on a web server

Steps to reproduce

Steps to reproduce the behavior:

  1. Go to Firebase and enforce App Check for Authentication
  2. Run/Deploy flutter web app (Firebase App Check needs to be set up).
  3. Log in with phone authentication.
  4. Close the tab and visit the web-app again.

Expected behavior

User should be logged in to my app during initial page loads, but I get an App Check error instead and the user credentials are wiped out from the local storage

Sample project

I cannot provide the login flow using mobile authentication but below is my main.dart. I think this is more than enough to recreate the issue.

`Future<void> main() async {
  await Firebase.initializeApp(options: DefaultFirebaseOptions.currentPlatform);
  await FirebaseAppCheck.instance.activate(
      .distinct((first, second) => first?.uid == second?.uid);

  runApp(const WebApp());

Additional context

The issue is similar to The issue was closed in app_check v0.2.1 but I am still facing this issue*****************

I checked the network requests and found out that the X-Firebase-Appcheck is present in the headers for the request url above but it's missing on initial page load after I revisit the web-app. As the app check token is missing the request is rejected (401) due to enforcement.

Request screenshots of login request using phone authentication

275826264-e285a354-1354-4151-b0b1-a4a7f7864801 275826273-577fe711-34fa-4c91-95b4-9a664703c2ad

Screenshots of the login request on initial page load.

275826555-540d8fc0-2310-48b7-a09d-317032e60bd8 275826565-eda6299f-4fd7-418a-bcc6-ff8377e8c572

Flutter doctor

Run flutter doctor and paste the output below:

Click To Expand ``` [!] Flutter (Channel stable, 3.13.8, on macOS 14.1 23B74 darwin-arm64, locale en-PK) ! Warning: `flutter` on your path resolves to /Library/flutter/bin/flutter, which is not inside your current Flutter SDK checkout at /library/flutter. Consider adding /library/flutter/bin to the front of your path. ! Warning: `dart` on your path resolves to /Library/flutter/bin/dart, which is not inside your current Flutter SDK checkout at /library/flutter. Consider adding /library/flutter/bin to the front of your path. [✓] Android toolchain - develop for Android devices (Android SDK version 32.0.0) [✓] Xcode - develop for iOS and macOS (Xcode 15.0.1) [✓] Chrome - develop for the web [✓] Android Studio (version 2021.2) [✓] VS Code (version 1.84.0) [✓] Connected device (3 available) [✓] Network resources ```

Flutter dependencies

Run flutter pub deps -- --style=compact and paste the output below:

darshankawar commented 8 months ago

@drklrd56 Check this issue and underlying comments and see if it helps in your case or not.

drklrd56 commented 8 months ago

I will test the fix mentioned there. I will notify once I have tested it.

drklrd56 commented 8 months ago

If you expand Flutter dependencies mentioned in the issue and search for firebase_core_web, you can see that I am on the latest version of the package (v.2.8.1). According to the change log of the firebase_core_web package, firebase SDK was updated to v.10.3.1 in v.2.8.0 so that closing comment mentioned in the issue doesn't resolve my issue.

Also I updated my firebase dependencies to the latest versions, deployed my web app and tested again. But the issue is still there.

@drklrd56 Check this issue and underlying comments and see if it helps in your case or not.

darshankawar commented 8 months ago

@drklrd56 Is the issue occuring only if you deploy to a host or also locally in debug mode ?

drklrd56 commented 8 months ago

@darshankawar same issue in local debug mode

PS: The debug token used is registered on the firebase console

Screenshot 2023-11-09 at 2 33 10 PM
darshankawar commented 8 months ago

User should be logged in to my app during initial page loads, but I get an App Check error instead and the user credentials are wiped out from the local storage

@drklrd56 Revisiting the issue again, the user credentials being wiped out after you are closing the tab and restarting, in chrome debug, it is expected since the browser is starting from a clean state. Also, to have the state to be persisted locally you need to keep the same port between restarts.

drklrd56 commented 8 months ago

but I am am using the same port 8080 for local debugging.. local storage is maintained.

This is my launch.json for debugging. I have set the web-port to 8080 to specifically deal with the local host issue due to port shift on hot restart. { "name": "Launch prod(web)", "request": "launch", "type": "dart", "program": "lib/web/main.dart", "args": [ "-d", "chrome", "--web-port", "8080", "--dart-define", "flavor=production", "--target", "lib/web/main.dart" ] },

drklrd56 commented 8 months ago


drklrd56 commented 8 months ago


As there has been no reply from the firebase team. I did my own debugging into firebase packages and found the issue. The MR to resolve this will not work for the initial page load issue because even if we move the app check service initialization before every other firebase service, if the service initializer skips its activation then we are on ground zero, that is no app-check-token in the headers and the request will result in 401.

If we look in the ensurePluginInitialized function for app check package it reads the recaptchaType and recaptchaSiteKey from the session storage and if these variables are not in the session storage it does not call the activate function.

That is our issue, I added a print state at the top of my main function that check the session storage when the app starts and at that time there are no key-value pairs for recaptchaType and recaptchaSiteKey in the session storage. They are added much later after the initial user fetch call has been sent and the user is signed out on 401 error.

Screenshot 2023-11-16 at 12 23 29 PM Screenshot 2023-11-16 at 12 23 08 PM

I added a way around in my main.dart that check if the recaptchaType and recaptchaSiteKey key-value pairs are present in my session storage if not then it writes them to the session storage. Doing this does not affect the firebase app flow because the app check can just rewite the session storage later and it will not cause it to throw an error.

Screenshot 2023-11-16 at 1 07 59 PM

I added the way around, tested the app in local debug mode and after deployment and the initial page load issue was resolved. As this is just a way around the issue, I expect the firebase team to at least resolve it in the app check package initialization code.

danagbemava-nc commented 8 months ago

Hi @drklrd56, sorry for getting to this late.

Labeling based on the report shared above as I do not have a firebase project capable of reproducing this atm

drklrd56 commented 7 months ago

Sorry for the late reply.. @danagbemava-nc

You don't need to do anything different on the flutter project.

  1. Create a firebase app on console enable authentication and enable app check
  2. Create a flutter project and add firebase authentication and firebase app check.
  3. Add a button to login using email and password and a logout button. The login button should disappear if the user is loggedIn. That's it.
  4. Create a build for the app and deploy and then go to website, login, close the page, revisit the page. You will be able to reproduce the issue.
  5. If you are using localhost. launch the app in using flutter run, login, copy the localhost url and paste it load the app in another tab. You will be able to reproduce the issue.
danagbemava-nc commented 7 months ago

@drklrd56, what I meant was, I can't enable app_check for auth on my current firebase projects

T-P-F commented 4 months ago

Here's a write-up I did on the same issue before finding this issue. Perhaps it can help with implementation of a fix: #12199