Fix client-side throttling for Play Integrity flows (#5395)

Changes:
- Successful `GeneratePlayIntegrityChallenge` call should not reset
`RetryManager` backoff
- Cache in-flight App Check token fetching tasks
- Update `403` errors to throttle with exponential backoff rather than a
flat one-day period (to match
[iOS](https://github.com/firebase/firebase-ios-sdk/blob/f3a14c249e001b3c894bb943ecc3973f50e60a49/FirebaseAppCheck/Sources/Core/Backoff/FIRAppCheckBackoffWrapper.m#L264-L268))

Author: rosalyntan

appcheck/firebase-appcheck-playintegrity/CHANGELOG.md

@@ -1,4 +1,6 @@
 # Unreleased
+* [fixed] Fixed client-side throttling in Play Integrity flows.
+
 * [unchanged] Updated to keep [app_check] SDK versions aligned.
 
 # 17.0.0

appcheck/firebase-appcheck/CHANGELOG.md

@@ -1,6 +1,8 @@
 # Unreleased
 * [fixed] Fixed a bug causing internal tests to depend directly on `firebase-common`.
 
+* [fixed] Fixed client-side throttling in Play Integrity flows.
+
 * [changed] Added Kotlin extensions (KTX) APIs from `com.google.firebase:firebase-appcheck-ktx`
   to `com.google.firebase:firebase-appcheck` under the `com.google.firebase.appcheck` package.
   For details, see the
@@ -12,8 +14,6 @@
   now deprecated. As early as April 2024, we'll no longer release KTX modules. For details, see the
   [FAQ about this initiative](https://firebase.google.com/docs/android/kotlin-migration)
 
-
-
 # 17.0.1
 * [changed] Internal updates to allow Firebase SDKs to obtain limited-use tokens.
 

appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/internal/DefaultFirebaseAppCheck.java

@@ -61,6 +61,7 @@ public class DefaultFirebaseAppCheck extends FirebaseAppCheck {
   private AppCheckProviderFactory appCheckProviderFactory;
   private AppCheckProvider appCheckProvider;
   private AppCheckToken cachedToken;
+  private Task<AppCheckToken> cachedTokenTask;
 
   public DefaultFirebaseAppCheck(
       @NonNull FirebaseApp firebaseApp,
@@ -192,24 +193,27 @@ public Task<AppCheckTokenResult> getToken(boolean forceRefresh) {
                 DefaultAppCheckTokenResult.constructFromError(
                     new FirebaseException("No AppCheckProvider installed.")));
           }
-          // TODO: Cache the in-flight task.
-          return fetchTokenFromProvider()
-              .continueWithTask(
-                  liteExecutor,
-                  appCheckTokenTask -> {
-                    if (appCheckTokenTask.isSuccessful()) {
-                      return Tasks.forResult(
-                          DefaultAppCheckTokenResult.constructFromAppCheckToken(
-                              appCheckTokenTask.getResult()));
-                    }
-                    // If the token exchange failed, return a dummy token for integrators to attach
-                    // in their headers.
-                    return Tasks.forResult(
-                        DefaultAppCheckTokenResult.constructFromError(
-                            new FirebaseException(
-                                appCheckTokenTask.getException().getMessage(),
-                                appCheckTokenTask.getException())));
-                  });
+          if (cachedTokenTask == null
+              || cachedTokenTask.isComplete()
+              || cachedTokenTask.isCanceled()) {
+            cachedTokenTask = fetchTokenFromProvider();
+          }
+          return cachedTokenTask.continueWithTask(
+              liteExecutor,
+              appCheckTokenTask -> {
+                if (appCheckTokenTask.isSuccessful()) {
+                  return Tasks.forResult(
+                      DefaultAppCheckTokenResult.constructFromAppCheckToken(
+                          appCheckTokenTask.getResult()));
+                }
+                // If the token exchange failed, return a dummy token for integrators to attach
+                // in their headers.
+                return Tasks.forResult(
+                    DefaultAppCheckTokenResult.constructFromError(
+                        new FirebaseException(
+                            appCheckTokenTask.getException().getMessage(),
+                            appCheckTokenTask.getException())));
+              });
         });
   }
 
@@ -247,7 +251,12 @@ public Task<AppCheckToken> getAppCheckToken(boolean forceRefresh) {
           if (appCheckProvider == null) {
             return Tasks.forException(new FirebaseException("No AppCheckProvider installed."));
           }
-          return fetchTokenFromProvider();
+          if (cachedTokenTask == null
+              || cachedTokenTask.isComplete()
+              || cachedTokenTask.isCanceled()) {
+            cachedTokenTask = fetchTokenFromProvider();
+          }
+          return cachedTokenTask;
         });
   }
 

appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/internal/NetworkClient.java

@@ -121,7 +121,8 @@ public AppCheckTokenResponse exchangeAttestationForAppCheckToken(
       throw new FirebaseException("Too many attempts.");
     }
     URL url = new URL(String.format(getUrlTemplate(tokenType), projectId, appId, apiKey));
-    String response = makeNetworkRequest(url, requestBytes, retryManager);
+    String response =
+        makeNetworkRequest(url, requestBytes, retryManager, /* resetRetryManagerOnSuccess= */ true);
     return AppCheckTokenResponse.fromJsonString(response);
   }
 
@@ -138,11 +139,15 @@ public String generatePlayIntegrityChallenge(
     }
     URL url =
         new URL(String.format(PLAY_INTEGRITY_CHALLENGE_URL_TEMPLATE, projectId, appId, apiKey));
-    return makeNetworkRequest(url, requestBytes, retryManager);
+    return makeNetworkRequest(
+        url, requestBytes, retryManager, /* resetRetryManagerOnSuccess= */ false);
   }
 
   private String makeNetworkRequest(
-      @NonNull URL url, @NonNull byte[] requestBytes, @NonNull RetryManager retryManager)
+      @NonNull URL url,
+      @NonNull byte[] requestBytes,
+      @NonNull RetryManager retryManager,
+      boolean resetRetryManagerOnSuccess)
       throws FirebaseException, IOException, JSONException {
     HttpURLConnection urlConnection = createHttpUrlConnection(url);
 
@@ -187,7 +192,9 @@ private String makeNetworkRequest(
                 + " body: "
                 + httpErrorResponse.getErrorMessage());
       }
-      retryManager.resetBackoffOnSuccess();
+      if (resetRetryManagerOnSuccess) {
+        retryManager.resetBackoffOnSuccess();
+      }
       return responseBody;
     } finally {
       urlConnection.disconnect();

appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/internal/RetryManager.java

@@ -26,7 +26,6 @@
 public class RetryManager {
 
   @VisibleForTesting static final int BAD_REQUEST_ERROR_CODE = 400;
-  @VisibleForTesting static final int FORBIDDEN_ERROR_CODE = 403;
   @VisibleForTesting static final int NOT_FOUND_ERROR_CODE = 404;
   @VisibleForTesting static final long MAX_EXP_BACKOFF_MILLIS = 4 * 60 * 60 * 1000; // 4 hours
   @VisibleForTesting static final long ONE_DAY_MILLIS = 24 * 60 * 60 * 1000; // 24 hours
@@ -91,9 +90,7 @@ public void updateBackoffOnFailure(int errorCode) {
 
   @BackoffStrategyType
   private static int getBackoffStrategyByErrorCode(int errorCode) {
-    if (errorCode == BAD_REQUEST_ERROR_CODE
-        || errorCode == FORBIDDEN_ERROR_CODE
-        || errorCode == NOT_FOUND_ERROR_CODE) {
+    if (errorCode == BAD_REQUEST_ERROR_CODE || errorCode == NOT_FOUND_ERROR_CODE) {
       return ONE_DAY;
     }
     return EXPONENTIAL;

appcheck/firebase-appcheck/src/test/java/com/google/firebase/appcheck/internal/NetworkClientTest.java

@@ -325,7 +325,7 @@ public void generatePlayIntegrityChallenge_successResponse_returnsJsonString() t
     verify(mockOutputStream)
         .write(JSON_REQUEST.getBytes(), /* off= */ 0, JSON_REQUEST.getBytes().length);
     verify(mockRetryManager, never()).updateBackoffOnFailure(anyInt());
-    verify(mockRetryManager).resetBackoffOnSuccess();
+    verify(mockRetryManager, never()).resetBackoffOnSuccess();
     verifyRequestHeaders();
   }
 

appcheck/firebase-appcheck/src/test/java/com/google/firebase/appcheck/internal/RetryManagerTest.java

@@ -16,7 +16,6 @@
 
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.firebase.appcheck.internal.RetryManager.BAD_REQUEST_ERROR_CODE;
-import static com.google.firebase.appcheck.internal.RetryManager.FORBIDDEN_ERROR_CODE;
 import static com.google.firebase.appcheck.internal.RetryManager.MAX_EXP_BACKOFF_MILLIS;
 import static com.google.firebase.appcheck.internal.RetryManager.NOT_FOUND_ERROR_CODE;
 import static com.google.firebase.appcheck.internal.RetryManager.ONE_DAY_MILLIS;
@@ -60,14 +59,6 @@ public void updateBackoffOnFailure_badRequestError_oneDayRetryStrategy() {
         .isEqualTo(CURRENT_TIME_MILLIS + ONE_DAY_MILLIS);
   }
 
-  @Test
-  public void updateBackoffOnFailure_forbiddenError_oneDayRetryStrategy() {
-    retryManager.updateBackoffOnFailure(FORBIDDEN_ERROR_CODE);
-
-    assertThat(retryManager.getNextRetryTimeMillis())
-        .isEqualTo(CURRENT_TIME_MILLIS + ONE_DAY_MILLIS);
-  }
-
   @Test
   public void updateBackoffOnFailure_notFoundError_oneDayRetryStrategy() {
     retryManager.updateBackoffOnFailure(NOT_FOUND_ERROR_CODE);
@@ -78,9 +69,9 @@ public void updateBackoffOnFailure_notFoundError_oneDayRetryStrategy() {
 
   @Test
   public void updateBackoffOnFailure_oneDayRetryStrategy_multipleRetries() {
-    retryManager.updateBackoffOnFailure(FORBIDDEN_ERROR_CODE);
-    retryManager.updateBackoffOnFailure(FORBIDDEN_ERROR_CODE);
-    retryManager.updateBackoffOnFailure(FORBIDDEN_ERROR_CODE);
+    retryManager.updateBackoffOnFailure(BAD_REQUEST_ERROR_CODE);
+    retryManager.updateBackoffOnFailure(BAD_REQUEST_ERROR_CODE);
+    retryManager.updateBackoffOnFailure(BAD_REQUEST_ERROR_CODE);
 
     // The backoff period should not increase for consecutive failed retries with the ONE_DAY
     // strategy.
@@ -133,7 +124,7 @@ public void updateBackoffOnFailure_exponentialRetryStrategy() {
 
   @Test
   public void canRetry_beforeNextRetryTime() {
-    retryManager.updateBackoffOnFailure(FORBIDDEN_ERROR_CODE);
+    retryManager.updateBackoffOnFailure(BAD_REQUEST_ERROR_CODE);
 
     // Sanity check.
     assertThat(mockClock.currentTimeMillis()).isEqualTo(CURRENT_TIME_MILLIS);
@@ -145,7 +136,7 @@ public void canRetry_beforeNextRetryTime() {
 
   @Test
   public void canRetry_afterNextRetryTime() {
-    retryManager.updateBackoffOnFailure(FORBIDDEN_ERROR_CODE);
+    retryManager.updateBackoffOnFailure(BAD_REQUEST_ERROR_CODE);
     long nextRetryMillis = retryManager.getNextRetryTimeMillis();
 
     when(mockClock.currentTimeMillis()).thenReturn(nextRetryMillis + 1);
@@ -154,7 +145,7 @@ public void canRetry_afterNextRetryTime() {
 
   @Test
   public void resetBackoffOnSuccess() {
-    retryManager.updateBackoffOnFailure(FORBIDDEN_ERROR_CODE);
+    retryManager.updateBackoffOnFailure(BAD_REQUEST_ERROR_CODE);
     // Sanity check.
     assertThat(retryManager.getNextRetryTimeMillis())
         .isEqualTo(CURRENT_TIME_MILLIS + ONE_DAY_MILLIS);