Re: AppCheck w/ ReCaptcha v3 blocked an iPad demo - why?

[Wei Xi Fan]

Hello -- Firebaser here,

Thank you for reporting this to us. "Add to home screen" converts the app into a Progressive Web App (PWA). Without further specific repro details, unfortunately we wouldn't be able to pinpoint the exact issue, but here are some possibilities.

It's possible something about PWA mode causes the reCAPTCHA check to fail, or it might change something about access to IndexedDB, which the SDK also uses. We can't find anything definitive about the behavior of Safari's PWAs that would cause this, except possibly a bit about how the PWA version of the app and the in-browser of the app are different and don't share any state. If you log in first on the normal browser, then you expect state to carry over to the PWA, it won't work. It's also possible something went wrong so state was partially carried over and it's inconsistent. Additionally, in order for something to be eligible for an "add to home screen" option, it has to be set up as a PWA which means it has to have a manifest.json, and it's possible there's some setting in there that might be causing a conflict with App Check. Finally, there's a list of known PWA bugs here and a bunch for Safari: https://github.com/PWA-POLICE/pwa-bugs. The ones that might possibly be relevant are "cookie/login isn't shared" and "cross domain authorization".

Regards,

Victor

On Tuesday, October 11, 2022 at 7:44:17 PM UTC-4 m...@jfhr.de wrote:

Hi,

I’ve recently enabled AppCheck enforcement on our web app with ReCaptcha v3 after seeing 0-1% invalid tokens in the console for over a week.

Everything was fine at first.

Yesterday, we were at an irl exhibition where we demonstrated our app to people on an iPad. The iPad was logged in with a new account that was created for that purpose. After a while, firestore requests from the iPad started failing, because of an invalid AppCheck token. 

Interestingly, this only happened when we used "Add to Home Screen" in Safari. If we used the same account in a normal Safari window, everything worked. 

I ended up disabling enforcement so we could keep the presentation going. 

I have two questions now.

1. Is there any way to tell why we got invalid AppCheck tokens? I.e. what behavior triggered ReCaptcha v3 here?
2. Is there any way to prevent this, short of disabling enforcement?

Thanks!