Use App Check with the debug provider

Notice

This page is archived and might not reflect the latest version of the FlutterFire plugins. You can find the latest information on firebase.google.com:

https://firebase.google.com/docs/app-check/flutter/debug-provider

If, after you have registered your app for App Check, and you want to run your app in an environment that App Check would normally not classify as valid, such as a simulator during development, or from a continuous integration (CI) environment, you can create a debug build of your app that uses the App Check debug provider instead of a real attestation provider.

caution

Warning: The debug provider allows access to your Firebase resources from unverified devices. Don't use the debug provider in production builds of your app, and don't share your debug builds with untrusted parties.

For now the debug provider does not currently have a Dart API; you'll need to apply the changes for your platforms as shown below:

Activating the debug provider (iOS/macOS)

Add the dependency for App Check to your project's Podfile

{macos|ios}/Podfile

# ...

target 'Runner' do

# ...

pod 'Firebase/AppCheck'

flutter_install_all_ios_pods File.dirname(File.realpath(__FILE__))

end

# ...

Set the debug provider in your App Delegate:

Objective-C

{macos|ios}/Runner/AppDelegate.m

#import "AppDelegate.h"

#import "GeneratedPluginRegistrant.h"

@import Firebase;

@implementation AppDelegate

- (BOOL)application:(UIApplication *)application

didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {

FIRAppCheckDebugProviderFactory *providerFactory =

[[FIRAppCheckDebugProviderFactory alloc] init];

[FIRAppCheck setAppCheckProviderFactory:providerFactory];

[GeneratedPluginRegistrant registerWithRegistry:self];

// Override point for customization after application launch.

return [super application:application didFinishLaunchingWithOptions:launchOptions];

}

@end

Swift

{macos|ios}/Runner/AppDelegate.swift

import Cocoa

import FlutterMacOS

import Firebase

@NSApplicationMain

class AppDelegate: FlutterAppDelegate {

override func applicationShouldTerminateAfterLastWindowClosed(_ sender: NSApplication) -> Bool {

return true

}

override func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]? = nil) -> Bool {

let providerFactory = AppCheckDebugProviderFactory()

AppCheck.setAppCheckProviderFactory(providerFactory)

return true

}

}

Launch your application. A local debug token will be logged when the SDK tries to send a request to the backend. For example:

[Firebase/AppCheck][I-FAA001001] Firebase App Check Debug Token:

123a4567-b89c-12d3-e456-789012345678

Activating the debug provider (Web)

Set the global FIREBASE_APPCHECK_DEBUG_TOKEN flag to true before your Firebase JS SDKs in your index.html:

web/index.html

<html>

...

<body>

<script>self.FIREBASE_APPCHECK_DEBUG_TOKEN = true;</script>

<script src="https://www.gstatic.com/firebasejs/8.10.0/firebase-app.js"></script>

<script src="https://www.gstatic.com/firebasejs/8.10.0/firebase-app-check.js"></script>

</body>

</html>

Visit your web app locally and open the browser’s developer tool. In the debug console, you’ll see a debug token:

AppCheck debug token: "123a4567-b89c-12d3-e456-789012345678". You will

need to safelist it in the Firebase console for it to work.

Activating the debug provider (Android)

Add the dependency for App Check to your project's android/app/build.gradle:

android/app/build.gradle

// ...

dependencies {

implementation 'com.google.firebase:firebase-appcheck-debug:16.0.0-beta01'

}

// ...

Install the debug provider using the following snippet, e.g. in your MainActivity.java onCreate method:

import com.google.firebase.appcheck.FirebaseAppCheck;

FirebaseApp.initializeApp(/*context=*/ this);

FirebaseAppCheck firebaseAppCheck = FirebaseAppCheck.getInstance();

firebaseAppCheck.installAppCheckProviderFactory(

DebugAppCheckProviderFactory.getInstance());

Launch the app and trigger a call to a Firebase backend service. A local debug token will be logged when the SDK tries to send a request to the backend. For example:

D DebugAppCheckProvider: Enter this debug secret into the allow list in

the Firebase Console for your project: 123a4567-b89c-12d3-e456-789012345678

Add a debug token to Firebase Project settings

In the Project Settings > App Check section of the Firebase console, choose Manage debug tokens from your app's overflow menu. Then, register the debug token you logged in the previous step.

After you register the token, Firebase backend services will accept it as valid.

Because this token allows access to your Firebase resources without a valid device, it is crucial that you keep it private. Don't commit it to a public repository, and if a registered token is ever compromised, revoke it immediately in the Firebase console.

App Check for Functions

Ensure you have App Check for Functions enabled, and check the context for the App Check token:

exports.yourCallableFunction = functions.https.onCall((data, context) => {

// context.app will be undefined if the request doesn't include a valid

// App Check token.

if (context.app == undefined) {

throw new functions.https.HttpsError(

'failed-precondition',

'The function must be called from an App Check verified app.')

}

// Your function logic follows.

});

You may also use the Firebase Local Emulator Suite to test your Cloud Function. You simply have to add another conditional check (i.e. !process.env.FUNCTIONS_EMULATOR) to stop errors from throwing whilst testing:

exports.yourCallableFunction = functions.https.onCall((data, context) => {

// context.app will be undefined if the request doesn't include a valid

// App Check token.

if (context.app == undefined && !process.env.FUNCTIONS_EMULATOR) {

throw new functions.https.HttpsError(

'failed-precondition',

'The function must be called from an App Check verified app.')

}

// Your function logic follows.

});