0

I am trying to implement App Check in my Xcode project, so that only my app is allowed to access the Firebase Database.

I've configured the App Check settings in Firebase. I've changed the Firebase Database rules to:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.token.app_check != null;
    }
  }
}

(The app doesn't require authentication) So that only if a valid token is received, it will grant access. My Swift code looks like this:

//
//  Gossip_GirlApp.swift
//  Gossip-Girl
//
//  Created by Julius Pleunes on 25/11/2024.
//

import SwiftUI
import Firebase
import FirebaseAppCheck

@main
struct Gossip_GirlApp: App {
    init() {
        FirebaseApp.configure()
        
        // Configureer App Check met DeviceCheck
        AppCheck.setAppCheckProviderFactory(DeviceCheckProviderFactory())
        
        // Debugging: Controleer Firebase configuratie
        FirebaseConfiguration.shared.setLoggerLevel(.debug)

        print("✅ Firebase en App Check zijn geconfigureerd")
        
        // Debugging: Test App Check token
        AppCheck.appCheck().token(forcingRefresh: true) { token, error in
            if let error = error {
                print("⚠️ Error fetching App Check token: \(error.localizedDescription)")
            } else if let token = token?.token {
                print("✅ App Check token: \(token)")
            } else {
                print("⚠️ App Check token is nil")
            }
        }

        // Test Firestore-toegang
        let db = Firestore.firestore()
        db.collection("posts").getDocuments { snapshot, error in
            if let error = error {
                print("⚠️ Error fetching posts: \(error.localizedDescription)")
            } else if let documents = snapshot?.documents {
                print("✅ Successfully fetched posts:")
                for document in documents {
                    print("\(document.documentID): \(document.data())")
                }
            } else {
                print("⚠️ No documents found in 'posts' collection.")
            }
        }
    }

    var body: some Scene {
        WindowGroup {
            MainView() // Start met de tab bar view
        }
    }
}

As you can see, I am using the DeviceCheck feature to generate the key, but my app is failing to retrieve the data. If I change the Rules in Firebase to open to everyone, than it succesfully retrieves the data, so I think the problem lies in the Firebase code, but I cant figure out what is wrong

When trying to fetch the data, I see this error in the Xcode console:

⚠️ Error fetching posts: Missing or insufficient permissions.

Improve this question
0

1 Answer 1

Reset to default
2

Firebase App Check doesn't integrate into security rules at all. There is no rule you can write to use App Check to control access to resources.

You can enable App Check for Firestore as a whole in your project by simply following the instructions in the documentation, which doesn't involve security rules at all:

To enable enforcement for Realtime Database, Cloud Firestore, Cloud Storage, Authentication (beta), and Vertex AI in Firebase, follow the instructions below. Once you enable enforcement for a product, all unverified requests to that product will be rejected.

  1. Open the App Check section of the Firebase console.

  2. Expand the metrics view of the product for which you want to enable enforcement.

  3. Click Enforce and confirm your choice.

    (Your project must be upgraded to Firebase Authentication with Identity Platform to enable enforcement for Authentication.)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi, thank you for answering. I had already followed the documentation and enforced App Check for my app. Realtime Database (which I am using now) and Storage, still needs private security rules, so that the data isn't open to the public. Right now I have used *** { "rules": { ".read": "auth != null", ".write": "auth != null" } } *** For the Realtime database while App Check was enforced, but there is still random data being injected into my database, that was not caused by me, so I believe that this is not secure enough. Thank you.
App Check doesn't provide any guarantees. It's just an additional hurdle of difficulty. There is no way to make the database "private" with security rules while also allowing unauthenticated users access - you can find this by doing some web searches that will land you on similar questions here on SO. If you want to control access in a more secure way, you need to also be using Firebase Auth with security rules that require the end user be authenticated. The rules alone can't do that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.