Fix App Check timer issues

[hsubox76]

Fixes #6373

Causes

Found 2 causes of the problems:

1. getToken() needs to return an error result (a dummy token with an error property) whenever there is an error. It was assuming that if there was an error there would be no token. This is not always the case. If the token is about to expire, the proactive refresh attempt may run into an error at the exchange endpoint. Then there will be an existing valid token, but also en error.
2. When getToken() makes a request to the exchange endpoint, it stores the promise in state.exchangeTokenPromise and doesn't make another request if the promise is in flight, instead, any calls during that period await the existing promise. Once the promise is resolved, it clears state.exchangeTokenPromise, allowing future exchange requests to be made when needed. The mistake was that it only cleared this when the promise was resolved, and not when the promise was rejected, so that once an exchange request promise failed, another one wouldn't be made until memory was cleared. (This may be why users had to refresh the page.)

Solutions

1. We need getToken() to return a token with a special error property, internalError. The reason this needs to be different from error, is that there's 2 different places that look for the error property on the result returned by getToken(). The first is the Refresher operation callback (defined inside createTokenRefresher), where we need it to find the error property (indicating there was an exchange request error) and throw, which will cause the Refresher to go into backoff retry mode. However, the other place that looks at error is notifyTokenListeners which calls the error callback for any 3P listeners if it finds error. If we have a valid token still, and it's just the proactive refresh attempt that's failing, we should just keep sending the token to 3P listeners as usual, it isn't an error from their point of view. That's why we use internalError for this case, so notifyTokenListeners can ignore it and the Refresher's operation callback can use it and throw, just as it does for error.
2. Replaced then with finally. The return token part of the then callback is no longer needed as the original promise already returns the token.

Testing

Tested this using a 30 minute token and taking the tab offline using devtools, after initial token fetch. While offline, the app attempted to make requests to Firestore, and later App Check, after the App Check token had expired, but no more than 1 request per minute (and I think most were triggered by Firestore, which needs to get an App Check token when it tries to connect to the backend). After returning tab to online state, it immediately got a new token, and Firestore was able to write.

[changeset-bot]

🦋 Changeset detected

Latest commit: 15a0524

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@firebase/app-check	Patch
@firebase/app-check-compat	Patch
firebase	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[google-oss-bot]

Size Report ¹

Affected Products

• @firebase/app-check

  Type	Base (e35db6f)	Merge (7f0de3a)	Diff
  browser	25.2 kB	25.6 kB	+336 B (+1.3%)
  esm5	29.9 kB	30.3 kB	+411 B (+1.4%)
  main	31.1 kB	31.5 kB	+423 B (+1.4%)
  module	25.2 kB	25.6 kB	+336 B (+1.3%)

• bundle

  Type	Base (e35db6f)	Merge (7f0de3a)	Diff
  app-check (CustomProvider)	35.5 kB	35.7 kB	+217 B (+0.6%)
  app-check (ReCaptchaEnterpriseProvider)	37.7 kB	37.9 kB	+217 B (+0.6%)
  app-check (ReCaptchaV3Provider)	37.7 kB	37.9 kB	+217 B (+0.6%)

• firebase

  Type	Base (e35db6f)	Merge (7f0de3a)	Diff
  firebase-app-check-compat.js	22.9 kB	23.1 kB	+197 B (+0.9%)
  firebase-app-check.js	21.7 kB	21.8 kB	+175 B (+0.8%)
  firebase-compat.js	738 kB	738 kB	+199 B (+0.0%)

Test Logs

• Base (e35db6f): https://github.com/firebase/firebase-js-sdk/actions/runs/3070363706
• Merge (7f0de3a): https://github.com/firebase/firebase-js-sdk/actions/runs/3099369662

1. https://storage.googleapis.com/firebase-sdk-metric-reports/N6rbXAaT7r.html

[google-oss-bot]

Size Analysis Report ¹

Affected Products

• @firebase/app-check

  • CustomProvider

    Size

    Type	Base (e35db6f)	Merge (e8a727d)	Diff
    size	7.51 kB	7.59 kB	+81 B (+1.1%)
    size-with-ext-deps	25.0 kB	25.0 kB	+83 B (+0.3%)

  • ReCaptchaEnterpriseProvider

    Size

    Type	Base (e35db6f)	Merge (e8a727d)	Diff
    size	11.1 kB	11.1 kB	+81 B (+0.7%)
    size-with-ext-deps	28.4 kB	28.5 kB	+83 B (+0.3%)

  • ReCaptchaV3Provider

    Size

    Type	Base (e35db6f)	Merge (e8a727d)	Diff
    size	11.0 kB	11.1 kB	+81 B (+0.7%)
    size-with-ext-deps	28.4 kB	28.4 kB	+83 B (+0.3%)

  • getToken

    Size

    Type	Base (e35db6f)	Merge (e8a727d)	Diff
    size	7.13 kB	7.22 kB	+81 B (+1.1%)
    size-with-ext-deps	24.1 kB	24.2 kB	+83 B (+0.3%)

  • initializeAppCheck

    Size

    Type	Base (e35db6f)	Merge (e8a727d)	Diff
    size	11.0 kB	11.1 kB	+77 B (+0.7%)
    size-with-ext-deps	28.6 kB	28.7 kB	+78 B (+0.3%)

  • onTokenChanged

    Size

    Type	Base (e35db6f)	Merge (e8a727d)	Diff
    size	7.23 kB	7.31 kB	+81 B (+1.1%)
    size-with-ext-deps	24.2 kB	24.3 kB	+83 B (+0.3%)

  • setTokenAutoRefreshEnabled

    Size

    Type	Base (e35db6f)	Merge (e8a727d)	Diff
    size	7.26 kB	7.34 kB	+81 B (+1.1%)
    size-with-ext-deps	24.3 kB	24.4 kB	+83 B (+0.3%)

Test Logs

• Base (e35db6f): https://github.com/firebase/firebase-js-sdk/actions/runs/3070363706
• Merge (e8a727d): https://github.com/firebase/firebase-js-sdk/actions/runs/3091530980

1. https://storage.googleapis.com/firebase-sdk-metric-reports/ODojxAu9mO.html

[google-oss-bot]

Size Analysis Report ¹

Affected Products

• @firebase/app-check

  • CustomProvider

    Size

    Type	Base (e35db6f)	Merge (7f0de3a)	Diff
    size	7.51 kB	7.72 kB	+217 B (+2.9%)
    size-with-ext-deps	25.0 kB	25.2 kB	+222 B (+0.9%)

  • ReCaptchaEnterpriseProvider

    Size

    Type	Base (e35db6f)	Merge (7f0de3a)	Diff
    size	11.1 kB	11.3 kB	+217 B (+2.0%)
    size-with-ext-deps	28.4 kB	28.6 kB	+222 B (+0.8%)

  • ReCaptchaV3Provider

    Size

    Type	Base (e35db6f)	Merge (7f0de3a)	Diff
    size	11.0 kB	11.2 kB	+217 B (+2.0%)
    size-with-ext-deps	28.4 kB	28.6 kB	+222 B (+0.8%)

  • getToken

    Size

    Type	Base (e35db6f)	Merge (7f0de3a)	Diff
    size	7.13 kB	7.35 kB	+217 B (+3.0%)
    size-with-ext-deps	24.1 kB	24.4 kB	+222 B (+0.9%)

  • initializeAppCheck

    Size

    Type	Base (e35db6f)	Merge (7f0de3a)	Diff
    size	11.0 kB	11.2 kB	+215 B (+2.0%)
    size-with-ext-deps	28.6 kB	28.8 kB	+217 B (+0.8%)

  • onTokenChanged

    Size

    Type	Base (e35db6f)	Merge (7f0de3a)	Diff
    size	7.23 kB	7.45 kB	+217 B (+3.0%)
    size-with-ext-deps	24.2 kB	24.5 kB	+222 B (+0.9%)

  • setTokenAutoRefreshEnabled

    Size

    Type	Base (e35db6f)	Merge (7f0de3a)	Diff
    size	7.26 kB	7.48 kB	+217 B (+3.0%)
    size-with-ext-deps	24.3 kB	24.5 kB	+222 B (+0.9%)

Test Logs

• Base (e35db6f): https://github.com/firebase/firebase-js-sdk/actions/runs/3070363706
• Merge (7f0de3a): https://github.com/firebase/firebase-js-sdk/actions/runs/3099369662

1. https://storage.googleapis.com/firebase-sdk-metric-reports/9bt6fUnek8.html

[dwyfrequency]

Great work!! Everything looks good to me here

[digibake]

Hi @hsubox76

Do you know if this fix has been published yet? I'm currently running into mega infinite loop App Check problems (we're getting 90K invalid requests constantly every single hour for the last 7 days) and I think this may go a long way to fix them. We're really keen to update and try this fix as soon as possible.

Thanks for all the hard work