Open adhiamboperes opened 1 year ago
@adhiamboperes I've done the first two steps, but I can't see the graphs so I can't do the last one.
This page suggests that there are other steps that need to be followed first (2 and 3). Should I wait for the dev team to do that before proceeding?
@adhiamboperes I've done the first two steps, but I can't see the graphs so I can't do the last one.
This page suggests that there are other steps that need to be followed first (2 and 3). Should I wait for the dev team to do that before proceeding?
Yes, step 2 and 3 are dev side, and the last step on this issue will be done post-release so I will re-assign you then.
Is your feature request related to a problem? Please describe.
As part of the Android NPS survey, we are uploading some of the user responses to Firestore. Firestore by itself does not offer adequate security, and Firebase AppCheck provides a solution that protects our database from malicious abuse by verifying the authenticity of writing apps and devices.
Describe the solution you'd like
The Setup steps for AppCheck from the documentation are as follows:
In the Release section, click Setup > App integrity.
On the Integrity API page, click Link project, then select your Firebase project from the list of Google Cloud projects.
The project you select here must be the same Firebase project as the one in which you register your app.
[x] Register your apps to use App Check with the Play Integrity provider in the App Check section of the Firebase console.
[x] Developer: Add the App Check library to the app Add the Appcheck and play integrity dependencies to the app(gradle and bazel) and initialize app check in the code.
Init block
Per the documentation, this code needs to run before any other Firebase SDKs.
[x] Monitor App Check request metrics After adding the App Check SDK to the app, but before enabling App Check enforcement, we should make sure that doing so won't disrupt our existing legitimate users. To view the App Check request metrics for a product, open the App Check section of the Firebase console.
[ ] Enable App Check enforcement This step will not be enabled from the onset for production apps, because we need to ensure that doing so won't disrupt our existing legitimate users. We will first deploy the app with AppCheck configured so that we can monitor the metrics and be able to see usages from Verified, Outdated clients, Unknown origin and Invalid requests. See here for more information on metrics. Reference.
Once we have a good view of metrics, we can then enforce AppCheck.
To enable enforcement for Firestore:
Describe alternatives you've considered
N/A
Additional context
Additional Resources: