fix(app-check): Prevent redundant exchangeToken calls in debug mode (#9187)

nicole0707 · web-flow · commit b9209dc91050 · 2025-07-29T10:40:18.000-07:00
diff --git a/packages/app-check/.changeset/chatty-laws-sleep.md b/packages/app-check/.changeset/chatty-laws-sleep.md
@@ -0,0 +1,5 @@
+---
+'@firebase/app-check': patch
+---
+
+Prevent redundant exchangeToken calls in debug mode
diff --git a/packages/app-check/src/internal-api.test.ts b/packages/app-check/src/internal-api.test.ts
@@ -630,6 +630,31 @@ describe('internal api', () => {
       expect(token).to.deep.equal({ token: fakeRecaptchaAppCheckToken.token });
     });
 
+    it('exchanges debug token only once if debug mode with no cached token', async () => {
+      const exchangeTokenStub: SinonStub = stub(
+        client,
+        'exchangeToken'
+      ).returns(Promise.resolve(fakeRecaptchaAppCheckToken));
+      const debugState = getDebugState();
+      debugState.enabled = true;
+      debugState.token = new Deferred();
+      debugState.token.resolve('my-debug-token');
+      const appCheck = initializeAppCheck(app, {
+        provider: new ReCaptchaV3Provider(FAKE_SITE_KEY)
+      });
+      const appCheckService = appCheck as AppCheckService;
+      const [token1, token2] = await Promise.all([
+        getToken(appCheckService),
+        getToken(appCheckService)
+      ]);
+      expect(exchangeTokenStub.args[0][0].body['debug_token']).to.equal(
+        'my-debug-token'
+      );
+      expect(token1).to.deep.equal({ token: fakeRecaptchaAppCheckToken.token });
+      expect(token2).to.deep.equal({ token: fakeRecaptchaAppCheckToken.token });
+      expect(exchangeTokenStub).to.be.calledOnce;
+    });
+
     it('throttles for a period less than 1d on 503', async () => {
       // More detailed check of exponential backoff in providers.test.ts
       const appCheck = initializeAppCheck(app, {
diff --git a/packages/app-check/src/internal-api.ts b/packages/app-check/src/internal-api.ts
@@ -118,10 +118,11 @@ export async function getToken(
    */
   if (isDebugMode()) {
     try {
+      const debugToken = await getDebugToken();
       // Avoid making another call to the exchange endpoint if one is in flight.
       if (!state.exchangeTokenPromise) {
         state.exchangeTokenPromise = exchangeToken(
-          getExchangeDebugTokenRequest(app, await getDebugToken()),
+          getExchangeDebugTokenRequest(app, debugToken),
           appCheck.heartbeatServiceProvider
         ).finally(() => {
           // Clear promise when settled - either resolved or rejected.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@firebase/app-check': patch
 +---
++
 +Prevent redundant exchangeToken calls in debug mode