iOS上的Firebase应用程序检查:403权限错误--权限被拒绝

6uxekuva  于 2022-11-30  发布在  iOS
关注(0)|答案(3)|浏览(336)

问:如何解决Firebase App Check的权限错误?
背景:我已根据以下文档启用应用程序检查:
DeviceCheck的启用/配置依据:https://firebase.google.com/docs/app-check/ios/devicecheck-provider
已启用应用程序证明,配置依据:https://firebase.google.com/docs/app-check/ios/devicecheck-provider
SDK将添加到项目中,代码来自:https://github.com/firebase/firebase-ios-sdk/blob/master/FirebaseAppCheck/Apps/FIRAppCheckTestApp/FIRAppCheckTestApp/AppDelegate.swift
具体来说,在appdelegate中:令牌设置:

FirebaseApp.configure()

requestDeviceCheckToken()

requestDebugToken()

if #available(iOS 14.0, *) {
  requestAppAttestToken()
}

呼叫:

// MARK: App Check providers
  func requestDeviceCheckToken() {
    guard let firebaseApp = FirebaseApp.app() else {
      return
    }

    DeviceCheckProvider(app: firebaseApp)?.getToken { token, error in
      if let token = token {
        print("DeviceCheck token: \(token.token), expiration date: \(token.expirationDate)")
      }

      if let error = error {
        print("DeviceCheck error: \((error as NSError).userInfo)")
      }
    }
  }

  func requestDebugToken() {
    guard let firebaseApp = FirebaseApp.app() else {
      return
    }

    if let debugProvider = AppCheckDebugProvider(app: firebaseApp) {
      print("Debug token: \(debugProvider.currentDebugToken())")

      debugProvider.getToken { token, error in
        if let token = token {
          print("Debug FAC token: \(token.token), expiration date: \(token.expirationDate)")
        }

        if let error = error {
          print("Debug error: \(error)")
        }
      }
    }
  }

  @available(iOS 14.0, *)
  func requestAppAttestToken() {
    guard let firebaseApp = FirebaseApp.app() else {
      return
    }

    guard let appAttestProvider = AppAttestProvider(app: firebaseApp) else {
      print("Failed to instantiate AppAttestProvider")
      return
    }

    appAttestProvider.getToken { token, error in
      if let token = token {
        print("App Attest FAC token: \(token.token), expiration date: \(token.expirationDate)")
      }

      if let error = error {
        print("App Attest error: \(error)")
      }
    }
  }

requestDeviceCheckToken()返回权限错误:

DeviceCheck error: ["NSLocalizedFailureReason": The server responded with an error: 
 - URL: https://firebaseappcheck.googleapis.com/v1beta/projects/<GOOGLE_APP_ID>:exchangeDeviceCheckToken 
 - HTTP status code: 403 
 - Response body: {
  "error": {
    "code": 403,
    "message": "Requests from this iOS client application \u003cempty\u003e are blocked.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_IOS_APP_BLOCKED",
        "domain": "googleapis.com",
        "metadata": {
          "service": "firebaseappcheck.googleapis.com",
          "consumer": "projects/<my project #>"
        }
      }
    ]
  }
}

requestDebugToken()返回权限错误:

Debug error: Error Domain=com.firebase.appCheck Code=0 "The server responded with an error: 
 - URL: https://firebaseappcheck.googleapis.com/v1beta/projects/<GOOGLE_APP_ID>:exchangeDebugToken 
 - HTTP status code: 403 
 - Response body: {
  "error": {
    "code": 403,
    "message": "Requests from this iOS client application \u003cempty\u003e are blocked.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_IOS_APP_BLOCKED",
        "domain": "googleapis.com",
        "metadata": {
          "consumer": "projects/<my project #>",
          "service": "firebaseappcheck.googleapis.com"
        }
      }
    ]
  }
}
" UserInfo={NSLocalizedFailureReason=The server responded with an error: 
 - URL: https://firebaseappcheck.googleapis.com/v1beta/projects/<GOOGLE_APP_ID>:exchangeDebugToken 
 - HTTP status code: 403 
 - Response body: {
  "error": {
    "code": 403,
    "message": "Requests from this iOS client application \u003cempty\u003e are blocked.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_IOS_APP_BLOCKED",
        "domain": "googleapis.com",
        "metadata": {
          "consumer": "projects/<my project #",
          "service": "firebaseappcheck.googleapis.com"
        }
      }
    ]
  }
}
}

requestAppAttestToken()会传回错误:

App Attest error: Error Domain=com.firebase.appCheck Code=0 "(null)"

GCP控制台显示对以下内容的所有调用,其中包含100%错误:

google.firebase.appcheck.v1beta.TokenExchangeService.ExchangeDebugToken 
    google.firebase.appcheck.v1beta.TokenExchangeService.ExchangeDeviceCheckToken   
    google.firebase.appcheck.v1beta.TokenExchangeService.GenerateAppAttestChallenge

所有这些似乎都指向权限错误?具体来说,GOOGLE_APP_ID在请求URL中,但应用检查是通过控制台在Firebase中配置的...
我在文档中没有看到任何东西,或者在IAM中没有看到任何明显的我错过的东西?
泰提前求援!

***更新***进一步测试后( Postman ):
问题似乎是SDK在调用AppCheck API时未正确传递X-Ios-Bundle-Identifier

得出此结论的步骤:

  • 来自邮政:API调用w/原始API_KEY -〉产生初始(以上)错误响应/403
  • 来自邮政:如上所述的API调用,+ X-IOS-Bundle-Identifier + valid debug_token -〉产生成功有效负载。

因此:

  • 有什么想法可以帮助识别为什么SDK没有通过X-Ios-Bundle-Identifier?应用程序使用其他Firebase API的w/out问题,因此似乎仅限于AppCheck SDK...
  • 和/或-X-Ios-Bundle-Identifier是否可以通过编程方式(在Swift中)添加到AppCheck调用中(在.plist中进行了正确标记)
    已解决!

App Check SDK目前不支持API密钥的Android / iOS应用程序限制。因此,您必须移除API密钥的应用程序限制才能解决此问题。
希望应用程序限制在某个时候会得到支持...

更新!

v8.8.0-beta现在支持软件包ID!:)

jrcvhitl

jrcvhitl1#

    • 1.配置DeviceCheck的私钥**
  • 确保已为DeviceCheck

    创建私钥
  • 并将其安装在AppCheck选项卡

    下的firebase项目设置中

https://firebase.google.com/docs/app-check/ios/devicecheck-provider

    • 2.将调试标记添加到firebase。**

如果你使用AppCheckDebugProvider(基本上是模拟器),运行项目后你会在控制台中看到一个调试令牌,你需要复制它并添加到项目设置的AppCheck中。然后AppCheck会批准它。另外不要忘记为Arguments Passed on Launch添加-FIRDebugEnabled
https://firebase.google.com/docs/app-check/ios/debug-provider

    • 3.为AppAttest环境添加生产授权。**

AppCheck的测试版不适用于AppAttest开发环境,因此您需要在授权中设置production环境。默认情况下,AppAttest适用于开发环境,无论您在市场中选择哪种环境,它都适用于生产环境。
https://firebase.google.com/docs/app-check/ios/app-attest-provider
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_devicecheck_appattest-environment

    • 4.可选:**

您可以简化代码

#if targetEnvironment (simulator)
    let providerFactory = AppCheckDebugProviderFactory ()
#else
    let providerFactory = CustomAppCheckProviderFactory ()
#endif

AppCheck.setAppCheckProviderFactory (providerFactory)

得到一个代币

if let fbApp = FirebaseApp.app () {
    providerFactory.createProvider(with: fbApp)?.getToken { token, error in
        if let token = token {
            print ("AppCheck token: \ (token.token), expiration date: \ (token.expirationDate)")
        } else if let error = error {
            print ("AppCheck error: \ (error as NSError).userInfo)")
        }
    }
}

或者,如果你想保护非firebase资源,你可以得到一个令牌,如下所示:

AppCheck.appCheck().token (forcingRefresh: false) { token, error in
    if let token = token {
        print ("AppCheck token: \ (token.token), expiration date: \ (token.expirationDate)")
    } else if let error = error {
        print ("AppCheck error: \ (error as NSError).userInfo)")
    }
}

https://firebase.google.com/docs/app-check/ios/custom-resource

pgky5nke

pgky5nke2#

App Check SDK目前不支持API密钥的Android / iOS应用程序限制。因此,您必须移除API密钥的应用程序限制才能解决此问题。
希望应用程序限制在某个时候会得到支持...

kx1ctssn

kx1ctssn3#

遇到此错误-以下是对我有效的方法:

  • 在真正的Android设备上运行应用
  • 打开Android Studio → Logcat →搜索“DebugAppCheckProvider”→复制调试密钥
  • 在Firebase中,转到“应用程序检查”→应用程序→ 3点菜单→管理调试令牌→添加令牌→对其命名→粘贴调试密码
  • 激活应用程序检查后添加令牌的控制台日志。
try {
      await firebase.appCheck().activate("ignored", true);
      const token = await getAppCheckToken();
      console.log({ token });
   } catch (err) {      
      console.error(err);
   }
};

相关问题