flutterfirebasegoogle-cloud-platformgoogle-cloud-functionsfirebase-app-check

Firebase Callable Function with enforceAppCheck Returns "unauthenticated " Error


I'm experiencing an issue with one of my Firebase Cloud Functions. When I call my function from the client, I receive the following error:

unauthenticated

class FirebasePublicationRepository implements PublicationRepository {
  @override
  Future<String> publishPost({
    required String postType, // "friends" ou "public"
    required String imagePath,
    required String title,
    required String description,
  }) async {
    final User? user = FirebaseAuth.instance.currentUser;
    if (user == null) {
      throw Exception("L'utilisateur n'est pas authentifié.");
    }

    final appCheckToken = await FirebaseAppCheck.instance.getToken();
    if (appCheckToken == null) {
      throw Exception("App Check token is missing.");
    }

    try {
      final File file = File(imagePath);
      final bytes = await file.readAsBytes();
      final String imageBase64 = base64Encode(bytes);

      final HttpsCallable callable =
          FirebaseFunctions.instanceFor(region: 'europe-west1')
              .httpsCallable('uploadPhotoLimit');

      final HttpsCallableResult result = await callable.call({
        'imageBase64': imageBase64,
        'title': title,
        'description': description,
        'postType': postType,
      });

      final data = result.data;
      if (data == null || data['postId'] == null) {
        throw Exception("Erreur de la Cloud Function : postId manquant.");
      }
      return data['postId'] as String;
    } catch (error) {
      throw Exception("Erreur lors de la publication du post: $error");
    }
  }
}
I/flutter ( 6354): Erreur lors de la publication du post: Exception: Erreur lors de la publication du post: [firebase_functions/unauthenticated] UNAUTHENTICATED
I/flutter ( 6354): 
I/flutter ( 6354): #0      StandardMethodCodec.decodeEnvelope (package:flutter/src/services/message_codecs.dart:652:7)
I/flutter ( 6354): #1      MethodChannel._invokeMethod (package:flutter/src/services/platform_channel.dart:370:18)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): #2      MethodChannelHttpsCallable.call (package:cloud_functions_platform_interface/src/method_channel/method_channel_https_callable.dart:22:24)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): #3      HttpsCallable.call (package:cloud_functions/src/https_callable.dart:49:37)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): #4      FirebasePublicationRepository.publishPost (package:coursios/blocs/publication/firebase_publication_repository.dart:46:42)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): #5      PublicationBloc._onPublishPost (package:coursios/blocs/publication/publication_bloc.dart:49:22)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): #6      Bloc.on.<anonymous closure>.handleEvent (package:bloc/src/bloc.dart:226:13)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): 
I/flutter ( 6354): #0      FirebasePublicationRepository.publishPost (package:coursios/blocs/publication/firebase_publication_repository.dart:60:7)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): #1      PublicationBloc._onPublishPost (package:coursios/blocs/publication/publication_bloc.dart:49:22)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): #2      Bloc.on.<anonymous closure>.handleEvent (package:bloc/src/bloc.dart:226:13)
I/flutter ( 6354): <asynchronous suspension>
I/flutter ( 6354): 

Google Cloud Log

The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401

I have already attempted to set the permissions to allAuthenticatedUser, but allowing allUsers would completely undermine the purpose of App Check and compromise the security of my application. Using allUsers effectively bypasses the additional verification provided by App Check, leaving my Cloud Functions exposed to unauthorized access and potential abuse. This approach defeats the core principle of ensuring that only legitimate, verified requests from my genuine application are processed.

I've scoured the internet but haven't found a viable solution, apart from no longer requiring the appcheck.

I also tried deleting the function and redeploying it


Solution

  • allowing allUsers would completely undermine the purpose of App Check and compromise the security of my application*

    That's not true. The GCP allUsers permission is a completely different thing than App Check. App Check works separately from GCP IAM permissions to help determine if the thing calling your function is actually your app, and not, for example, some automated or malicious process. (App Check has no knowledge about individual "users".) The GCP allUsers permission is required to be allowed for functions invoked from your client app, and adding it back will make that error go away without affecting App Check.

    You might want to review the documentation on how App Check works to get a better sense of what exactly you are enabling.

    Removing the allUsers permission only makes sense when you have a function that needs to be invoked from other part of your backend using a service account or some other IAM-controlled entity, which doesn't sound like what you're doing here.