Enforced App Check on my app and on my cloud functions does not prevent calls from outside

Question

I use Firebase Cloud Functions in my iOS app. I want to protect them with Firebase App Check. I did all of the steps from "Get Started" guide - included App Check framework, implemented the code needed for App Attest, added App Attest entitlement.

My functions use Express. I also enforced App Check there:

exports.myfunc = functions
  .runWith({enforceAppCheck: true})
  .https.onRequest(app);

Yet it doesn't seem to work at all. My functions work as expected when called from my app. However, I see no "callable-request-verification" logs in the Cloud Functions console. I'm able to call my functions successfully outside of my app - from my desktop with curl.

How do I diagnose where the problem is?

Answer 1

I need to use "callable" Cloud functions both on the client and on the backend for AppCheck to work. I think this is not stressed enough in the documentation.

On the client

try await functions.httpsCallable("foo").call(params)  // AppCheck works

let url = URL(string: "https://us-central1-myproject.cloudfunctions.net/foo")
var request: URLRequest = .init(url: url)
try await URLSession.shared.data(for: request)         // AppCheck doesn't work

On the backend

exports.foo = functions
  .runWith({enforceAppCheck: true})
  .https.onCall((data, context) => {     // AppCheck works
});

const app = express();
exports.foo = functions
  .runWith({enforceAppCheck: true})
  .https.onRequest(app);                 // AppCheck doesn't work