firebase · rlazo · Mar 10, 2025 · Mar 10, 2025 · Mar 10, 2025 · Mar 10, 2025
diff --git a/firebase-functions/CHANGELOG.md b/firebase-functions/CHANGELOG.md
@@ -1,4 +1,5 @@
 # Unreleased
+* [fixed] Fixed an issue that prevented the App Check token from being handled correctly in case of error.
 
 # 21.1.1
 * [fixed] Resolve Kotlin migration visibility issues

diff --git a/...tions/src/androidTest/java/com/google/firebase/functions/FirebaseContextProviderTest.java b/...tions/src/androidTest/java/com/google/firebase/functions/FirebaseContextProviderTest.java
@@ -117,7 +117,7 @@ public void getContext_whenOnlyAuthIsAvailableAndNotSignedIn_shouldContainOnlyIi
   }
 
   @Test
-  public void getContext_whenOnlyAppCheckIsAvailableAndHasError_shouldContainOnlyIid()
+  public void getContext_whenOnlyAppCheckIsAvailableAndHasError()
       throws ExecutionException, InterruptedException {
     FirebaseContextProvider contextProvider =
         new FirebaseContextProvider(
@@ -129,11 +129,12 @@ public void getContext_whenOnlyAppCheckIsAvailableAndHasError_shouldContainOnlyI
     HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
-    assertThat(context.getAppCheckToken()).isNull();
+    // AppCheck token needs to be send in all circumstances.
+    assertThat(context.getAppCheckToken()).isEqualTo(APP_CHECK_TOKEN);
   }
 
   @Test
-  public void getContext_facLimitedUse_whenOnlyAppCheckIsAvailableAndHasError_shouldContainOnlyIid()
+  public void getContext_facLimitedUse_whenOnlyAppCheckIsAvailableAndHasError()
       throws ExecutionException, InterruptedException {
     FirebaseContextProvider contextProvider =
         new FirebaseContextProvider(
@@ -145,7 +146,8 @@ public void getContext_facLimitedUse_whenOnlyAppCheckIsAvailableAndHasError_shou
     HttpsCallableContext context = Tasks.await(contextProvider.getContext(true));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
-    assertThat(context.getAppCheckToken()).isNull();
+    // AppCheck token needs to be sent in all circumstances.
+    assertThat(context.getAppCheckToken()).isEqualTo(APP_CHECK_LIMITED_USE_TOKEN);
   }
 
   @Test

diff --git a/firebase-functions/src/main/java/com/google/firebase/functions/FirebaseContextProvider.kt b/firebase-functions/src/main/java/com/google/firebase/functions/FirebaseContextProvider.kt
@@ -88,11 +88,9 @@ constructor(
       if (getLimitedUseAppCheckToken) appCheck.limitedUseToken else appCheck.getToken(false)
     return tokenTask.onSuccessTask(executor) { result: AppCheckTokenResult ->
       if (result.error != null) {
-        // If there was an error getting the App Check token, do NOT send the placeholder
-        // token. Only valid App Check tokens should be sent to the functions backend.
         Log.w(TAG, "Error getting App Check token. Error: " + result.error)
-        return@onSuccessTask Tasks.forResult<String?>(null)
       }
+      // Send valid token (success) or placeholder (failure).
       Tasks.forResult(result.token)
     }
   }