Make progress even if AppCheck validation fails (#2928)

Author: schmidt-sebastian

firebase-database/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 20.0.2
+- [fixed] The SDK can now continue to issue writes for apps that send an
+  invalid App Check tokens if AppCheck enforcement is not enabled.
+
 # 20.0.1
 - [fixed] Fixed an issue where connections would hang when using appcheck
   without Auth.

firebase-database/src/main/java/com/google/firebase/database/connection/PersistentConnectionImpl.java

@@ -269,6 +269,7 @@ private enum ConnectionState {
   private static final String SERVER_DATA_TAG = "t";
   private static final String SERVER_DATA_WARNINGS = "w";
   private static final String SERVER_RESPONSE_DATA = "d";
+  private static final String INVALID_APP_CHECK_TOKEN = "Invalid appcheck token";
 
   /** Delay after which a established connection is considered successful */
   private static final long SUCCESSFUL_CONNECTION_ESTABLISHED_DELAY = 30 * 1000;
@@ -559,12 +560,21 @@ public void onDisconnect(Connection.DisconnectReason reason) {
 
   @Override
   public void onKill(String reason) {
-    logger.warn(
-        "Firebase Database connection was forcefully killed by the server. Will not attempt"
-            + " reconnect. Reason: "
-            + reason);
+    if (reason.equals(INVALID_APP_CHECK_TOKEN)
+        && invalidAppCheckTokenCount < INVALID_TOKEN_THRESHOLD) {
+      invalidAppCheckTokenCount++;
+      logger.warn(
+          "Detected invalid AppCheck token. Reconnecting ("
+              + (INVALID_TOKEN_THRESHOLD - invalidAppCheckTokenCount)
+              + " attempts remaining)");
+    } else {
+      logger.warn(
+          "Firebase Database connection was forcefully killed by the server. Will not attempt"
+              + " reconnect. Reason: "
+              + reason);
 
-    interrupt(SERVER_KILL_INTERRUPT_REASON);
+      interrupt(SERVER_KILL_INTERRUPT_REASON);
+    }
   }
 
   @Override
@@ -1120,31 +1130,17 @@ private void sendAppCheckTokenHelper(final boolean restoreStateAfterComplete) {
           String status = (String) response.get(REQUEST_STATUS);
           if (status.equals("ok")) {
             invalidAppCheckTokenCount = 0;
-            if (restoreStateAfterComplete) {
-              restoreState();
-            }
           } else {
             appCheckToken = null;
             forceAppCheckTokenRefresh = true;
             String reason = (String) response.get(SERVER_RESPONSE_DATA);
             logger.debug("App check failed: " + status + " (" + reason + ")");
-
             // Note: We don't close the connection as the developer may not have
             // enforcement enabled. The backend closes connections with enforcements.
-            if (status.equals("invalid_token") || status.equals("permission_denied")) {
-              // We'll wait a couple times before logging the warning / increasing the
-              // retry period since app check tokens will report as "invalid" if they're
-              // just expired. Plus there may be transient issues that resolve themselves.
-              invalidAppCheckTokenCount++;
-              if (invalidAppCheckTokenCount >= INVALID_TOKEN_THRESHOLD) {
-                // Set a long reconnect delay because recovery is unlikely.
-                retryHelper.setMaxDelay();
-                logger.warn(
-                    "Provided app check credentials are invalid. This "
-                        + "usually indicates your FirebaseAppCheck was not initialized "
-                        + "correctly.");
-              }
-            }
+          }
+
+          if (restoreStateAfterComplete) {
+            restoreState();
           }
         };