AppCheck do not schedule an auto-refresh if a stored token exists

[Gazer]

[REQUIRED] Step 2: Describe your environment

• Android Studio version: 2022.3.1
• Firebase Component: AppCheck
• Component version: 32.2.0

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

When we call getAppCheckToken with forceRefresh as false, if we have a valid token stored in the cachedToken there is no call to tokenRefreshManager to schedule the next auto-refresh (if enable). Also, when the library is initialised and DefaultFirebaseAppCheck is created we call retrieveStoredAppCheckTokenInBackground to read and cache the stored token, but no call to tokenRefreshManager is done.

This means that if we restart the app with a valid token, we loose the auto-refresh feature (if enabled) and the next update will be when the cached token expires, the library will not try to refresh it in background.

Relevant Code:

private Task<Void> retrieveStoredAppCheckTokenInBackground(@NonNull Executor executor) {
    TaskCompletionSource<Void> taskCompletionSource = new TaskCompletionSource<>();
    executor.execute(
        () -> {
          AppCheckToken token = storageHelper.retrieveAppCheckToken();
          if (token != null) {
            setCachedToken(token);
          }
          taskCompletionSource.setResult(null);
        });
    return taskCompletionSource.getTask();
  }

public Task<AppCheckToken> getAppCheckToken(boolean forceRefresh) {
    return retrieveStoredTokenTask.continueWithTask(
        liteExecutor,
        unused -> {
          if (!forceRefresh && hasValidToken()) {
            return Tasks.forResult(cachedToken);
          }
          if (appCheckProvider == null) {
            return Tasks.forException(new FirebaseException("No AppCheckProvider installed."));
          }
          return fetchTokenFromProvider();
        });
  }

One solution may be call tokenRefreshManager.maybeScheduleTokenRefresh(token); after setCachedToken(token); in retrieveStoredAppCheckTokenInBackground

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[argzdev]

Hi @Gazer, thanks for reaching out. Reading through the codebase does seem to do as how you explained it to be.

Could you clarify a few things for me:
When you mentioned that "we loose the auto-refresh feature (if enabled) and the next update will be when the cached token expires, the library will not try to refresh it in background.",

1. How do we loose the auto-refresh feature when a cache token is present? I'm not seeing where this is happening in the codebase.
2. Do you mean that if the cache token is expired and the app is closed. The app will not refresh the token in the background, but will wait until the app is reopened again before a new token is retrieved?

[Gazer]

1. We use ApCheck with a custom backend, not with Firebase services. When we start the app and we already have a valid token, the refreshManager is not creating the schedule task to refresh the token automatically. In practice, what happens is that we do not receive the call to the callback with the new token when the token is about to expire.
2. No, we do not expect to get a refresh with the app in background, but if we start the app with a valid token that expire in X minutes, we expect to get the token auto-refresh 5 minutes before (as per the current implementation of Appcheck library) the token expires.

[argzdev]

Thanks for the extra details, @Gazer. This clarifies a lot. That said, I'll try and simulate this scenario. If there's any chance you have a minimal reproducible example ready, please do share it with us. It'll really help us speed up the investigation. Thanks!

[argzdev]

After further investigation, it seems to me that the SDK is already scheduling auto-refresh in the TokenRefreshManager during background state changes:

firebase-android-sdk/appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/internal/TokenRefreshManager.java

Lines 76 to 79 in dff55b6

	if (shouldScheduleRefresh()) {
	tokenRefresher.scheduleRefresh(
	nextRefreshTimeMillis - clock.currentTimeMillis());
	}

I've tested this with a custom provider and the scheduler seems to schedule the refresh correctly (approx. 30 minutes), though I haven't tested this fully of waiting for it to expire then refresh since this requires 30+ minutes just to test the scenario. In the meantime, could you point me where in our documentation that states auto-refresh is 5 minutes prior to expiration, we might need to update that? Usually the refresh should be immediate if the token is around half of the TTL.

The default TTL of 1 hour is reasonable for most apps. Note that the App Check library refreshes tokens at approximately half the TTL duration.

In your case, is your app not receiving the new tokens when the TTL is about to expire? If so, could you share code snippets or minimal repro so we can investigate this further since I'm unable to reproduce the issue?

No, we do not expect to get a refresh with the app in background, but if we start the app with a valid token that expire in X minutes, we expect to get the token auto-refresh 5 minutes before (as per the current implementation of Appcheck library) the token expires.

In this scenario, are these the correct steps to reproduce this behavior:

1. Open app, TTL will expire in 1 hr
2. Keep app open, do nothing for 50 minutes
3. app does not refresh token, even after token expires(?)

[neugartf]

👋 Jumping in (I'm a colleague of @Gazer)!

---

Did you try to restart the application? It does seem like the first time a token is obtained the RefreshManager is correctly running.
However once there is a valid one and the app would be started, there is no refresh intent. The token shown in the screenshot is expected to be refreshed into ~30 minutes TTL.

Here is a repo with minimal implementation, although there isn't anything surprising: https://github.com/neugartf/bug_5235.

Thanks for the help!