From 10effb7404fe282d20e4f2ba724206be985457dd Mon Sep 17 00:00:00 2001 From: Copybara Date: Mon, 20 Apr 2026 06:48:46 -0700 Subject: [PATCH] Add Firebase App Check skill - Created new skill for Firebase App Check in third_party/firebase/agent_skills/skills/firebase_app_check. - Added reference files for iOS, Android, Web, and Flutter. - Added EVAL.yaml and TEST.md. PiperOrigin-RevId: 902611616 --- skills/firebase-app-check/SKILL.md | 47 +++++++++++++ skills/firebase-app-check/TEST.md | 51 ++++++++++++++ .../firebase-app-check/references/android.md | 48 +++++++++++++ .../firebase-app-check/references/flutter.md | 48 +++++++++++++ skills/firebase-app-check/references/ios.md | 69 +++++++++++++++++++ skills/firebase-app-check/references/web.md | 42 +++++++++++ 6 files changed, 305 insertions(+) create mode 100644 skills/firebase-app-check/SKILL.md create mode 100644 skills/firebase-app-check/TEST.md create mode 100644 skills/firebase-app-check/references/android.md create mode 100644 skills/firebase-app-check/references/flutter.md create mode 100644 skills/firebase-app-check/references/ios.md create mode 100644 skills/firebase-app-check/references/web.md diff --git a/skills/firebase-app-check/SKILL.md b/skills/firebase-app-check/SKILL.md new file mode 100644 index 0000000..5c600dc --- /dev/null +++ b/skills/firebase-app-check/SKILL.md @@ -0,0 +1,47 @@ +--- +name: firebase-app-check +description: >- + Enables setting up Firebase App Check for mobile and web applications to + protect backend resources from abuse. Use when configuring App Check for + iOS, Android, Web, or Flutter apps using default providers like + DeviceCheck, App Attest, Play Integrity, and reCAPTCHA. +--- + +# Firebase App Check + +## Overview + +Firebase App Check helps protect your backend resources from abuse, such as +billing fraud and phishing, by ensuring that requests originate from your +authentic app. + +This skill provides guidance on setting up App Check with the default providers +for various platforms. + +## Platform Setup Guides + +Select the guide for your platform: + +- **iOS**: See [ios.md](references/ios.md) for DeviceCheck and App Attest + setup. +- **Android**: See [android.md](references/android.md) for Play Integrity + setup. +- **Web**: See [web.md](references/web.md) for reCAPTCHA setup. +- **Flutter**: See [flutter.md](references/flutter.md) for Flutter-specific + integration. + +## General Principles + +- **Enforcement**: Do not enable enforcement until you have monitored metrics + and verified that legitimate users will not be blocked. +- **Debug Provider**: Always use the debug provider for local development and + CI environments to avoid depleting quotas and blocking access. + +## Resources + +### references/ + +- [ios.md](references/ios.md): iOS setup details. +- [android.md](references/android.md): Android setup details. +- [web.md](references/web.md): Web setup details. +- [flutter.md](references/flutter.md): Flutter setup details. diff --git a/skills/firebase-app-check/TEST.md b/skills/firebase-app-check/TEST.md new file mode 100644 index 0000000..c85e515 --- /dev/null +++ b/skills/firebase-app-check/TEST.md @@ -0,0 +1,51 @@ +# Firebase App Check Skill - Agent E2E Test Plan + +## Prerequisites + +**Read `SKILL.md` first** to understand the skill's purpose and available references. + +This skill is documentation-only and does not include executable scripts or a CLI binary. Testing focuses on the agent's ability to retrieve and apply the correct information from the reference files. + +--- + +## Test 1: iOS Setup Inquiry + +**Prompt:** "I need to set up App Check for my iOS app. I'm targeting iOS 15. What provider should I use and how do I initialize it in Swift?" + +**Verify:** +- The agent reads `references/ios.md`. +- The agent recommends using **App Attest** (since it's iOS 14+). +- The agent provides a Swift code snippet showing how to set `AppAttestProviderFactory`. + +--- + +## Test 2: Android Setup Inquiry + +**Prompt:** "How do I set up App Check for my Android app using the recommended provider? What do I need to do in the Google Play Console?" + +**Verify:** +- The agent reads `references/android.md`. +- The agent identifies **Play Integrity** as the recommended provider. +- The agent mentions linking the Firebase project in the Google Play Console under App Integrity. + +--- + +## Test 3: Web Setup Inquiry + +**Prompt:** "I want to protect my web app with App Check using reCAPTCHA v3. How do I initialize it?" + +**Verify:** +- The agent reads `references/web.md`. +- The agent provides a JavaScript code snippet using `ReCaptchaV3Provider`. +- The agent mentions that a site key is required. + +--- + +## Test 4: Flutter Setup Inquiry + +**Prompt:** "I'm building a Flutter app and want to enable App Check for Android and iOS. How do I do that in code?" + +**Verify:** +- The agent reads `references/flutter.md`. +- The agent provides a Dart code snippet showing `FirebaseAppCheck.instance.activate`. +- The agent shows setting providers for both `androidProvider` and `appleProvider`. diff --git a/skills/firebase-app-check/references/android.md b/skills/firebase-app-check/references/android.md new file mode 100644 index 0000000..72692ff --- /dev/null +++ b/skills/firebase-app-check/references/android.md @@ -0,0 +1,48 @@ +# Android App Check Setup + +Cheatsheet for setting up App Check on Android. + +## Provider +- **Play Integrity**: Default and recommended provider. + +## Setup Steps + +1. **Google Play Console**: + - Select your app. + - In **Release > App integrity**, link your Firebase project. +2. **Firebase Console**: + - Navigate to **Security > App Check**. + - Register your app with **Play Integrity**. + - Provide the SHA-256 fingerprint of your app's signing certificate. +3. **Add SDK**: + - In your `app/build.gradle`, add the dependency: + ```gradle + implementation 'com.google.firebase:firebase-appcheck-playintegrity' + ``` +4. **Initialization**: + - Initialize App Check in your `Application` class or early in your main activity. + +### Kotlin Example + +```kotlin +import android.app.Application +import com.google.firebase.FirebaseApp +import com.google.firebase.appcheck.FirebaseAppCheck +import com.google.firebase.appcheck.playintegrity.PlayIntegrityAppCheckProviderFactory + +class MyApplication : Application() { + override fun onCreate() { + super.onCreate() + FirebaseApp.initializeApp(this) + val firebaseAppCheck = FirebaseAppCheck.getInstance() + firebaseAppCheck.installAppCheckProviderFactory( + PlayIntegrityAppCheckProviderFactory.getInstance() + ) + } +} +``` + +## Gotchas +- Requires Google Play services on the device. +- Daily quota of 10,000 calls for Standard tier. +- Use Debug provider for emulators. diff --git a/skills/firebase-app-check/references/flutter.md b/skills/firebase-app-check/references/flutter.md new file mode 100644 index 0000000..564651e --- /dev/null +++ b/skills/firebase-app-check/references/flutter.md @@ -0,0 +1,48 @@ +# Flutter App Check Setup + +Cheatsheet for setting up App Check in Flutter apps. + +## Platform Providers +Flutter App Check uses the default provider for each platform: +- **Android**: Play Integrity +- **iOS**: Device Check or App Attest +- **Web**: reCAPTCHA v3 or Enterprise + +## Setup Steps + +1. **Firebase Console**: Register your iOS, Android, and Web apps in the Firebase console under **Security > App Check** as described in the platform-specific reference files. +2. **Add Dependency**: + ```bash + flutter pub add firebase_app_check + ``` +3. **Initialization**: Initialize App Check in your `main()` function after `Firebase.initializeApp()`. + +### Flutter Example + +```dart +import 'package:flutter/material.dart'; +import 'package:firebase_core/firebase_core.dart'; +import 'package:firebase_app_check/firebase_app_check.dart'; + +Future main() async { + WidgetsFlutterBinding.ensureInitialized(); + await Firebase.initializeApp(); + + await FirebaseAppCheck.instance.activate( + // Web Provider + webProvider: ReCaptchaV3Provider('your-recaptcha-v3-site-key'), + + // Android Provider (Default is Play Integrity) + androidProvider: AndroidProvider.playIntegrity, + + // Apple Provider (Default is Device Check) + appleProvider: AppleProvider.appAttest, + ); + + runApp(const MyApp()); +} +``` + +## Gotchas +- Ensure you follow the setup steps for each platform (e.g., linking Play project, uploading `.p8` for iOS) in the Firebase console. +- See platform-specific reference files for platform-specific gotchas. diff --git a/skills/firebase-app-check/references/ios.md b/skills/firebase-app-check/references/ios.md new file mode 100644 index 0000000..3405e54 --- /dev/null +++ b/skills/firebase-app-check/references/ios.md @@ -0,0 +1,69 @@ +# iOS App Check Setup + +Cheatsheet for setting up App Check on iOS. + +## Providers +- **App Attest**: Recommended for iOS 14+. Stronger security. +- **DeviceCheck**: Fallback or for iOS 11+. + +## Setup Steps + +1. **Firebase Console**: + - Navigate to **Security > App Check**. + - Register your app with **DeviceCheck** or **App Attest**. + - For DeviceCheck, you need to upload a private key (`.p8` file) from Apple Developer account. + - For App Attest, you need to link your team ID. + +2. **Add SDK**: + - Swift Package Manager: Add `firebase-app-check`. + - CocoaPods: `pod 'FirebaseAppCheck'` + +3. **Initialization**: + - Initialize the App Check provider factory *before* calling `FirebaseApp.configure()`. + +### Swift Example (App Attest) + +```swift +import UIKit +import FirebaseCore +import FirebaseAppCheck + +class AppDelegate: NSObject, UIApplicationDelegate { + func application(_ application: UIApplication, + didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]? = nil) -> Bool { + // Use AppAttestProviderFactory + let providerFactory = AppCheckDebugProviderFactory() // Use debug for simulator + // In production, use AppAttestProviderFactory + // let providerFactory = AppAttestProviderFactory() + AppCheck.setAppCheckProviderFactory(providerFactory) + + FirebaseApp.configure() + + return true + } +} +``` + +### Swift Example (DeviceCheck) + +```swift +import UIKit +import FirebaseCore +import FirebaseAppCheck + +class AppDelegate: NSObject, UIApplicationDelegate { + func application(_ application: UIApplication, + didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]? = nil) -> Bool { + let providerFactory = DeviceCheckProviderFactory() + AppCheck.setAppCheckProviderFactory(providerFactory) + + FirebaseApp.configure() + + return true + } +} +``` + +## Gotchas +- App Attest requires the `com.apple.developer.devicecheck.appattest` entitlement. +- Debug provider is needed for simulators. See `SKILL.md` for debug token instructions. diff --git a/skills/firebase-app-check/references/web.md b/skills/firebase-app-check/references/web.md new file mode 100644 index 0000000..0a9fb2c --- /dev/null +++ b/skills/firebase-app-check/references/web.md @@ -0,0 +1,42 @@ +# Web App Check Setup + +Cheatsheet for setting up App Check on Web. + +## Providers +- **reCAPTCHA v3**: Good for most web apps. +- **reCAPTCHA Enterprise**: For enterprise needs, more advanced features. + +## Setup Steps + +1. **Firebase Console**: + - Navigate to **Security > App Check**. + - Register your app with **reCAPTCHA v3** or **reCAPTCHA Enterprise**. + - You will need to provide a site key. If you don't have one, you can create it in the reCAPTCHA console. +2. **Add SDK**: + - Include the App Check SDK in your web app. +3. **Initialization**: + - Initialize App Check *before* using other Firebase services. + +### JS Example (Modular SDK) + +```javascript +import { initializeApp } from "firebase/app"; +import { initializeAppCheck, ReCaptchaV3Provider } from "firebase/app-check"; + +const firebaseConfig = { + // ... +}; + +const app = initializeApp(firebaseConfig); + +// Pass your reCAPTCHA v3 site key to the provider +const appCheck = initializeAppCheck(app, { + provider: new ReCaptchaV3Provider('your-recaptcha-v3-site-key'), + isTokenAutoRefreshEnabled: true // Set to true to allow auto-refresh +}); +``` + +## Gotchas +- reCAPTCHA v3 has a monthly quota of 1M free verifications. +- reCAPTCHA Enterprise has a free tier of 10,000 assessments per month. +- Ensure your authorized domains are correctly configured in the reCAPTCHA console.