Add App Check token to FirebaseServerApp

[DellaBitta]

Discussion

Currently a customer enforces App Check for a product in the Firebase console then there's no way to successfully use that product in SSR environments. This is due to the requirement for products SDKs to internally invoke getToken on the a instance of the App Check SDK that the customer's app has initialized. However, the App Check SDK can only be initialized in browser environments.

This PR aims to fix this. FirebaseServerApp will now accept an optional App Check token at initialization. The product SDKs will look for this token, and if it's present, the SDKs will use this value in lieu of calling getToken on App Check.

This change affects the following SDKs:

• Auth
• Cloud Functions
• Data Connect
• Firestore
• Real Time Database
• Vertex AI

Testing

Added tests to FirebaseServerApp's handling of the token. The product SDKs currently don't have viable App Check tests in our test suite, so I manually tested all of the SDKs by enabling App Check enforcement in the Firebase Console, watching them fail due to permissions, and then provided the App Check token to Firebase Server app and watched them succeed.

API Changes

This conforms to the previoulsy approved Existing FirebaseServerApp API proposal (internal) for FirebaseServerApp which includes App Check token support.

[google-oss-bot]

Size Report ¹

Affected Products

• @firebase/app

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	18.4 kB	19.2 kB	+846 B (+4.6%)
  main	19.3 kB	20.1 kB	+838 B (+4.4%)
  module	18.4 kB	19.2 kB	+846 B (+4.6%)

• @firebase/auth

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	188 kB	188 kB	+107 B (+0.1%)
  cordova	164 kB	164 kB	+107 B (+0.1%)
  main	145 kB	145 kB	+111 B (+0.1%)
  module	188 kB	188 kB	+107 B (+0.1%)
  react-native	163 kB	163 kB	+113 B (+0.1%)

• @firebase/auth-cordova

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	164 kB	164 kB	+107 B (+0.1%)
  module	164 kB	164 kB	+107 B (+0.1%)

• @firebase/auth-web-extension

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	140 kB	140 kB	+107 B (+0.1%)
  main	157 kB	157 kB	+113 B (+0.1%)
  module	140 kB	140 kB	+107 B (+0.1%)

• @firebase/auth/internal

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	199 kB	199 kB	+107 B (+0.1%)
  main	171 kB	171 kB	+113 B (+0.1%)
  module	199 kB	199 kB	+107 B (+0.1%)

• @firebase/data-connect

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	20.1 kB	20.3 kB	+157 B (+0.8%)
  main	22.0 kB	22.2 kB	+148 B (+0.7%)
  module	20.1 kB	20.3 kB	+157 B (+0.8%)

• @firebase/database

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	249 kB	249 kB	+332 B (+0.1%)
  main	254 kB	254 kB	+325 B (+0.1%)
  module	249 kB	249 kB	+332 B (+0.1%)

• @firebase/database-compat/standalone

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  main	340 kB	365 kB	+25.9 kB (+7.6%)

• @firebase/firestore

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	382 kB	382 kB	+189 B (+0.0%)
  main	589 kB	589 kB	+270 B (+0.0%)
  module	382 kB	382 kB	+189 B (+0.0%)
  react-native	382 kB	382 kB	+188 B (+0.0%)

• @firebase/firestore-lite

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	111 kB	112 kB	+175 B (+0.2%)
  main	154 kB	154 kB	+269 B (+0.2%)
  module	111 kB	112 kB	+175 B (+0.2%)
  react-native	112 kB	112 kB	+175 B (+0.2%)

• @firebase/functions

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	13.7 kB	14.0 kB	+313 B (+2.3%)
  main	14.2 kB	14.6 kB	+306 B (+2.1%)
  module	13.7 kB	14.0 kB	+313 B (+2.3%)

• @firebase/remote-config

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	21.7 kB	21.7 kB	-1 B (-0.0%)
  main	22.9 kB	22.9 kB	-1 B (-0.0%)
  module	21.7 kB	21.7 kB	-1 B (-0.0%)

• @firebase/storage

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	57.8 kB	58.0 kB	+128 B (+0.2%)
  main	59.3 kB	59.4 kB	+111 B (+0.2%)
  module	57.8 kB	58.0 kB	+128 B (+0.2%)

• @firebase/vertexai

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  browser	28.8 kB	29.0 kB	+220 B (+0.8%)
  main	29.6 kB	29.9 kB	+203 B (+0.7%)
  module	28.8 kB	29.0 kB	+220 B (+0.8%)

• bundle

  40 size changes

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  auth (Anonymous)	76.2 kB	76.4 kB	+130 B (+0.2%)
  auth (EmailAndPassword)	86.4 kB	86.5 kB	+130 B (+0.2%)
  auth (GoogleFBTwitterGitHubPopup)	103 kB	103 kB	+130 B (+0.1%)
  auth (GooglePopup)	100 kB	100 kB	+130 B (+0.1%)
  auth (GoogleRedirect)	100 kB	101 kB	+130 B (+0.1%)
  auth (Phone)	93.8 kB	93.9 kB	+130 B (+0.1%)
  database (Append to a list of data)	149 kB	149 kB	+372 B (+0.2%)
  database (Filtering data)	148 kB	148 kB	+372 B (+0.3%)
  database (Listen for child events)	164 kB	165 kB	+372 B (+0.2%)
  database (Listen for value events + Detach listeners)	164 kB	165 kB	+372 B (+0.2%)
  database (Listen for value events)	164 kB	165 kB	+372 B (+0.2%)
  database (Read data once)	164 kB	164 kB	+372 B (+0.2%)
  database (Save data as transactions)	166 kB	167 kB	+372 B (+0.2%)
  database (Sort data)	150 kB	150 kB	+372 B (+0.2%)
  database (Write data)	148 kB	149 kB	+372 B (+0.3%)
  firestore (CSI Auto Indexing Disable and Delete)	272 kB	273 kB	+221 B (+0.1%)
  firestore (CSI Auto Indexing Enable)	272 kB	273 kB	+221 B (+0.1%)
  firestore (Persistence)	304 kB	304 kB	+221 B (+0.1%)
  firestore (Query Cursors)	249 kB	249 kB	+218 B (+0.1%)
  firestore (Query)	247 kB	247 kB	+218 B (+0.1%)
  firestore (Read data once)	235 kB	235 kB	+218 B (+0.1%)
  firestore (Read Write w Persistence)	328 kB	329 kB	+221 B (+0.1%)
  firestore (Realtime updates)	237 kB	237 kB	+218 B (+0.1%)
  firestore (Transaction)	214 kB	214 kB	+218 B (+0.1%)
  firestore (Write data)	213 kB	214 kB	+218 B (+0.1%)
  firestore-lite (Query Cursors)	103 kB	103 kB	+211 B (+0.2%)
  firestore-lite (Query)	98.8 kB	99.0 kB	+211 B (+0.2%)
  firestore-lite (Read data once)	74.3 kB	74.5 kB	+208 B (+0.3%)
  firestore-lite (Transaction)	99.5 kB	99.8 kB	+211 B (+0.2%)
  firestore-lite (Write data)	83.9 kB	84.1 kB	+211 B (+0.3%)
  functions (call)	34.4 kB	34.7 kB	+318 B (+0.9%)
  remote-config (getAndFetch)	47.5 kB	47.5 kB	-1 B (-0.0%)
  storage (getBytes)	42.1 kB	42.3 kB	+175 B (+0.4%)
  storage (getDownloadURL)	44.2 kB	44.4 kB	+175 B (+0.4%)
  storage (getMetadata)	43.6 kB	43.8 kB	+175 B (+0.4%)
  storage (list + listAll)	43.1 kB	43.2 kB	+175 B (+0.4%)
  storage (updateMetadata)	43.9 kB	44.1 kB	+175 B (+0.4%)
  storage (uploadBytes)	48.8 kB	48.9 kB	+175 B (+0.4%)
  storage (uploadBytesResumable)	58.7 kB	58.9 kB	+175 B (+0.3%)
  storage (uploadString)	49.0 kB	49.1 kB	+175 B (+0.4%)

• firebase

  21 size changes

  Type	Base (0b318a9)	Merge (fca7193)	Diff
  firebase-app-compat.js	31.8 kB	32.3 kB	+552 B (+1.7%)
  firebase-app.js	101 kB	102 kB	+1.43 kB (+1.4%)
  firebase-auth-compat.js	143 kB	143 kB	+109 B (+0.1%)
  firebase-auth-cordova.js	136 kB	136 kB	+87 B (+0.1%)
  firebase-auth-web-extension.js	119 kB	119 kB	+87 B (+0.1%)
  firebase-auth.js	155 kB	155 kB	+87 B (+0.1%)
  firebase-compat.js	798 kB	800 kB	+1.36 kB (+0.2%)
  firebase-data-connect.js	16.7 kB	16.8 kB	+170 B (+1.0%)
  firebase-database-compat.js	166 kB	166 kB	+305 B (+0.2%)
  firebase-database.js	186 kB	187 kB	+309 B (+0.2%)
  firebase-firestore-compat.js	347 kB	347 kB	+155 B (+0.0%)
  firebase-firestore-lite.js	130 kB	130 kB	+163 B (+0.1%)
  firebase-firestore.js	441 kB	441 kB	+172 B (+0.0%)
  firebase-functions-compat.js	10.4 kB	10.6 kB	+231 B (+2.2%)
  firebase-functions.js	14.6 kB	14.8 kB	+236 B (+1.6%)
  firebase-performance-standalone-compat.js	93.7 kB	94.2 kB	+585 B (+0.6%)
  firebase-remote-config-compat.js	28.4 kB	28.4 kB	-2 B (-0.0%)
  firebase-remote-config.js	31.3 kB	31.3 kB	-2 B (-0.0%)
  firebase-storage-compat.js	40.3 kB	40.4 kB	+109 B (+0.3%)
  firebase-storage.js	46.2 kB	46.3 kB	+113 B (+0.2%)
  firebase-vertexai.js	23.8 kB	24.0 kB	+177 B (+0.7%)

Test Logs

• Base (0b318a9): https://github.com/firebase/firebase-js-sdk/actions/runs/12778467973
• Merge (fca7193): https://github.com/firebase/firebase-js-sdk/actions/runs/12835021105

1. https://storage.googleapis.com/firebase-sdk-metric-reports/tE6wAw4WOB.html

[google-oss-bot]

Size Analysis Report ¹

This report is too large (416,182 characters) to be displayed here in a GitHub comment. Please use the below link to see the full report on Google Cloud Storage.

Test Logs

• Base (0b318a9): https://github.com/firebase/firebase-js-sdk/actions/runs/12778467973
• Merge (fca7193): https://github.com/firebase/firebase-js-sdk/actions/runs/12835021105

1. https://storage.googleapis.com/firebase-sdk-metric-reports/p72HYQKCcC.html

[changeset-bot]

🦋 Changeset detected

Latest commit: 3352b7f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 15 packages

Name	Type
@firebase/app	Minor
firebase	Minor
@firebase/data-connect	Patch
@firebase/firestore	Patch
@firebase/functions	Patch
@firebase/database	Patch
@firebase/vertexai	Patch
@firebase/storage	Patch
@firebase/auth	Patch
@firebase/app-compat	Patch
@firebase/firestore-compat	Patch
@firebase/functions-compat	Patch
@firebase/database-compat	Patch
@firebase/storage-compat	Patch
@firebase/auth-compat	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[DellaBitta]

This value was never used.

[DellaBitta]

During the initialization of the Data Connect-specific AppCheckTokenProvider, check if the provided app is a FirebaseServerApp that contains an App Check token. If it does, store the token locally so getToken can return it (below).

[DellaBitta]

Like Data Connect above, check if the provided app is a FirebaseServerApp that contains an App Check token. If it does, store the token locally so getToken can return it (below).

[DellaBitta]

Like the other SDKs (above), for Firestore check if the provided app is a FirebaseServerApp that contains an App Check token. If it does, store the token locally so getToken can return it (below).

[tom-andersen]

Is there any concern of this token expiring?

[DellaBitta]

I attempted to answer this in the main thread of the PR.

[DellaBitta]

Like the other SDKs (above), for Functions check if the provided app is a FirebaseServerApp that contains an App Check token. If it does, store the token locally so getToken can return it (below).

[DellaBitta]

Check to see if Storage's app is a FirebaseServerApp that contains an App Check token. If it does, return the token instead of invoking App Check.

[DellaBitta]

Similiar to the other SDKs (above) check to see if the provided instance of FirebaseApp is one of FirebaseServerApp, and if it contains an App Check token, then return it instead of invoking the App Check SDK.

This implementation differes only slightly to the other SDKs (which use Providers) becuase we already have a direct reference to the FirebaseApp instance itself, similiar to the Storage implementation.

[hsubox76]

I don't think this PR is the time to do it, but we should probably abstract all this logic (maybe also the model name processing) out of GenerativeModel to some kind of shared function that ImagenModel can also use, will give @dlarocque a heads up.

[DellaBitta]

Invalid tokens are now handled by a new flow, which we test in app/src/FirebaseServerApp.test.ts, so I'm removing this test here.

[DellaBitta]

Looks okay. One comment. Also, we we're wondering if/how this solution deals with the expiration or short lifespan of app check tokens?

It's assumed that they will be created via getToken on the client-side and then passed up to the SSR phase via cookies or service workers, probably at first at client sign in.

We'll post a best practice that apps attempt to use that App Check token on the server side, and either check the validity of the token themselves, or call initializeServerApp with a try / catch block to check for token expiration. If the server side encounters an expired token then the app should route to a client-side page that regenerates a new token, and then route back to the page that uses SSR.

[hsubox76]

LG, just nits!

[hsubox76]

It looks like, in RTDB, it will be set to true on any failed request (status !== 'ok') to the auth or app check endpoints.

[hsubox76]

Can't attach comment to line 85 but can we put a ? there so it's appCheckProvider?.get() like RTDB and DataConnect etc seem to have done and I just noticed in this PR, for max efficiency in not bothering to even call get() in the case of no provider.

[DellaBitta]

Done.

[hsubox76]

Can there be a vertexAI instance that doesn't have an app property? How does that happen? Actually come to think of it, what do you think about putting a ? here https://github.com/firebase/firebase-js-sdk/blob/main/packages/app/src/internal.ts#L173 so that it can handle being passed undefined/null, so it would cover if any other caller happens to pass it that.

[DellaBitta]

To answer your first question, I'm not sure. I don't think it's possible but the rest of the code (above) checks for it.

As for the latter, I'll add the ability for the function to take null / undefined!

[DellaBitta]

Done.

[hsubox76]

I don't think this PR is the time to do it, but we should probably abstract all this logic (maybe also the model name processing) out of GenerativeModel to some kind of shared function that ImagenModel can also use, will give @dlarocque a heads up.

[NhienLam]

Auth: LGTM

[DellaBitta]

forceRefresh was never used, so I've removed it for now.

[egilmorez]

Couple of things to look at, thanks!

[egilmorez]

authIdtoken and appChecktoken look like literals that should be backticked.

[DellaBitta]

Fixed.

[egilmorez]

Typo "utilize."

Personally I like in lieu, but I'll bet good money our style guide advises something more like "instead of" or "in place of."

[DellaBitta]

Fixed! I went with "in place of".

[DellaBitta]

Couple of things to look at, thanks!

Thanks @egilmorez. Could you give it a review again? I fixed the problems you found and updated some other comments, so it's worth a full review again.

[egilmorez]

LG with one final possible nit, thanks!

[egilmorez]

Do these strings get pulled into release notes or other public docs?

If so, I'd go with "can now be initialized" and "instead of invoking."

[DellaBitta]

They don't directly. Later, the release engineer crafts the release notes using these as ... inspiration. Updated!