I have an app deployed through Play that initially did not have Firebase App Check configured. I now integrated App Check into the App without enabling "Enforce" and observed over time after publishing that verified requests increase, but not reaching 100%.
When "Enforce" is enabled and some installs have yet to upgrade, what then is the failure mode for various RTDB calls such as:
For unverified requests, does the following call succeed? Or throw an exception? Or return null?
// (1)
FirebaseDatabase db = FirebaseDatabase.getInstance();
And if (1) succeeds, what of:
For unverified requests, does the following call succeed? Or throw an exception? Or return null?
// (2)
DatabaseReference rootDb = db.getReference();
Finally if (1) and (2) both succeed, what of:
For unverified requests, does the following call complete (and what of task.isSuccessful
) ? Or throw an exception ? Or not return at all?
// (3)
rootDb.child("test").child("testRead").get().addOnCompleteListener(new OnCompleteListener<DataSnapshot>() {
@Override
public void onComplete(@NonNull Task<DataSnapshot> task) {
if (!task.isSuccessful()) {
Log.e(TAG,"Error reading from fb");
} else {
Log.d(TAG,"Good database read: "+task.getResult().getValue());
}
}
});
I'd rather not enable "Enforce" just to find out the results as that will potentially cause crashes in unverified installations/requests.
Calls 1 and 2 will definitely succeed, as they're pure client-side operation and App Check is only enforced on the server.
Call 3 will fail (for clients without a valid App Check token) with an permission denied error, same as when your security rules would reject the operation.