This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Modify appcheck to only check for writes

Posted on 09-13-2024 01:47 PM
gesichtsfelsen
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I would like users to create and see posts. Seeing all posts shouldn't require a captcha, but creating a post should require one.

How can I make this work in firebase?

0 2 153
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
KyleMari
Staff
Reply posted on --/--/---- --:-- AM

Hi @gesichtsfelsen,

Based on your scenario, it looks like you’ve enforced Firebase App Check for either Firestore or Realtime Database, so I can see why App Check validation (through reCAPTCHA) is required when your app makes both read (seeing posts) and write (creating posts) operations.

It’s possible for your app to conditionally require App Check enforcement on selected actions. You can enforce it when a user creates posts (for instance, via POST requests), then skip App Check to directly read data when a user views posts (via GET requests). You just need to use Firebase Admin SDK as it can be the one to handle the App Check token verification via appCheck().verifyToken(appCheckToken) method.

Note that using a Firebase Admin SDK requires Node.js as a backend. As shared by @jfriend00, you can use Javascript as a bridge between your frontend HTML to the Node.js server.

You may also find this answer helpful, which is given by @Frank Van Puffelen, one of the Firebase engineers.

I hope the above information is helpful.

Posted on --/--/---- --:-- AM
gesichtsfelsen
Bronze 3
Bronze 3
In response to KyleMari
Reply posted on --/--/---- --:-- AM

Thank you @KyleMari for your reply!

I might need to get a bit more specific. Background info:

 

Show More
I wrote a Backend using Firestore, Cloud Functions and AppCheck with reCAPTCHA. My Website is mainly used in Germany. In Germany users need to accept the cookies for reCAPTCHA to work. If a user doesn't want to accept it, he can't read anything from firestore as its blocked by AppCheck and will leave my Website. 

Write-operations to Firestore should still be checked but reading should be possible without AppCheck.
The best solution would be a way to block write-operations with Firestore Security Rules. 

A working solution would probably be to create a callable Cloud Function that checks the token when a user wants to write something. But that would be a bit insecure too as calling cloud functions is obviously not free.

 

0 Likes
Top Solution Authors
View all