问:如何解决Firebase App Check的权限错误?
背景:我已根据以下文档启用应用程序检查:
DeviceCheck的启用/配置依据:https://firebase.google.com/docs/app-check/ios/devicecheck-provider
已启用应用程序证明,配置依据:https://firebase.google.com/docs/app-check/ios/devicecheck-provider
SDK将添加到项目中,代码来自:https://github.com/firebase/firebase-ios-sdk/blob/master/FirebaseAppCheck/Apps/FIRAppCheckTestApp/FIRAppCheckTestApp/AppDelegate.swift
具体来说,在appdelegate中:令牌设置:
FirebaseApp.configure()
requestDeviceCheckToken()
requestDebugToken()
if #available(iOS 14.0, *) {
requestAppAttestToken()
}
呼叫:
// MARK: App Check providers
func requestDeviceCheckToken() {
guard let firebaseApp = FirebaseApp.app() else {
return
}
DeviceCheckProvider(app: firebaseApp)?.getToken { token, error in
if let token = token {
print("DeviceCheck token: \(token.token), expiration date: \(token.expirationDate)")
}
if let error = error {
print("DeviceCheck error: \((error as NSError).userInfo)")
}
}
}
func requestDebugToken() {
guard let firebaseApp = FirebaseApp.app() else {
return
}
if let debugProvider = AppCheckDebugProvider(app: firebaseApp) {
print("Debug token: \(debugProvider.currentDebugToken())")
debugProvider.getToken { token, error in
if let token = token {
print("Debug FAC token: \(token.token), expiration date: \(token.expirationDate)")
}
if let error = error {
print("Debug error: \(error)")
}
}
}
}
@available(iOS 14.0, *)
func requestAppAttestToken() {
guard let firebaseApp = FirebaseApp.app() else {
return
}
guard let appAttestProvider = AppAttestProvider(app: firebaseApp) else {
print("Failed to instantiate AppAttestProvider")
return
}
appAttestProvider.getToken { token, error in
if let token = token {
print("App Attest FAC token: \(token.token), expiration date: \(token.expirationDate)")
}
if let error = error {
print("App Attest error: \(error)")
}
}
}
requestDeviceCheckToken()返回权限错误:
DeviceCheck error: ["NSLocalizedFailureReason": The server responded with an error:
- URL: https://firebaseappcheck.googleapis.com/v1beta/projects/<GOOGLE_APP_ID>:exchangeDeviceCheckToken
- HTTP status code: 403
- Response body: {
"error": {
"code": 403,
"message": "Requests from this iOS client application \u003cempty\u003e are blocked.",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_IOS_APP_BLOCKED",
"domain": "googleapis.com",
"metadata": {
"service": "firebaseappcheck.googleapis.com",
"consumer": "projects/<my project #>"
}
}
]
}
}
requestDebugToken()返回权限错误:
Debug error: Error Domain=com.firebase.appCheck Code=0 "The server responded with an error:
- URL: https://firebaseappcheck.googleapis.com/v1beta/projects/<GOOGLE_APP_ID>:exchangeDebugToken
- HTTP status code: 403
- Response body: {
"error": {
"code": 403,
"message": "Requests from this iOS client application \u003cempty\u003e are blocked.",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_IOS_APP_BLOCKED",
"domain": "googleapis.com",
"metadata": {
"consumer": "projects/<my project #>",
"service": "firebaseappcheck.googleapis.com"
}
}
]
}
}
" UserInfo={NSLocalizedFailureReason=The server responded with an error:
- URL: https://firebaseappcheck.googleapis.com/v1beta/projects/<GOOGLE_APP_ID>:exchangeDebugToken
- HTTP status code: 403
- Response body: {
"error": {
"code": 403,
"message": "Requests from this iOS client application \u003cempty\u003e are blocked.",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_IOS_APP_BLOCKED",
"domain": "googleapis.com",
"metadata": {
"consumer": "projects/<my project #",
"service": "firebaseappcheck.googleapis.com"
}
}
]
}
}
}
requestAppAttestToken()会传回错误:
App Attest error: Error Domain=com.firebase.appCheck Code=0 "(null)"
GCP控制台显示对以下内容的所有调用,其中包含100%错误:
google.firebase.appcheck.v1beta.TokenExchangeService.ExchangeDebugToken
google.firebase.appcheck.v1beta.TokenExchangeService.ExchangeDeviceCheckToken
google.firebase.appcheck.v1beta.TokenExchangeService.GenerateAppAttestChallenge
所有这些似乎都指向权限错误?具体来说,GOOGLE_APP_ID在请求URL中,但应用检查是通过控制台在Firebase中配置的...
我在文档中没有看到任何东西,或者在IAM中没有看到任何明显的我错过的东西?
泰提前求援!
***更新***进一步测试后( Postman ):
问题似乎是SDK在调用AppCheck API时未正确传递X-Ios-Bundle-Identifier
。
得出此结论的步骤:
- 来自邮政:API调用w/原始API_KEY -〉产生初始(以上)错误响应/403
- 来自邮政:如上所述的API调用,+ X-IOS-Bundle-Identifier + valid debug_token -〉产生成功有效负载。
因此:
- 有什么想法可以帮助识别为什么SDK没有通过
X-Ios-Bundle-Identifier
?应用程序使用其他Firebase API的w/out问题,因此似乎仅限于AppCheck SDK... - 和/或-
X-Ios-Bundle-Identifier
是否可以通过编程方式(在Swift中)添加到AppCheck调用中(在.plist中进行了正确标记)
已解决!
App Check SDK目前不支持API密钥的Android / iOS应用程序限制。因此,您必须移除API密钥的应用程序限制才能解决此问题。
希望应用程序限制在某个时候会得到支持...
更新!
v8.8.0-beta现在支持软件包ID!:)
3条答案
按热度按时间jrcvhitl1#
创建私钥
下的firebase项目设置中
https://firebase.google.com/docs/app-check/ios/devicecheck-provider
如果你使用AppCheckDebugProvider(基本上是模拟器),运行项目后你会在控制台中看到一个调试令牌,你需要复制它并添加到项目设置的AppCheck中。然后AppCheck会批准它。另外不要忘记为
Arguments Passed on Launch
添加-FIRDebugEnabled
。https://firebase.google.com/docs/app-check/ios/debug-provider
AppCheck的测试版不适用于AppAttest开发环境,因此您需要在授权中设置
production
环境。默认情况下,AppAttest适用于开发环境,无论您在市场中选择哪种环境,它都适用于生产环境。https://firebase.google.com/docs/app-check/ios/app-attest-provider
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_devicecheck_appattest-environment
您可以简化代码
得到一个代币
或者,如果你想保护非firebase资源,你可以得到一个令牌,如下所示:
https://firebase.google.com/docs/app-check/ios/custom-resource
pgky5nke2#
App Check SDK目前不支持API密钥的Android / iOS应用程序限制。因此,您必须移除API密钥的应用程序限制才能解决此问题。
希望应用程序限制在某个时候会得到支持...
kx1ctssn3#
遇到此错误-以下是对我有效的方法: