Skip to content

docs(firestore-semantic-search): correct App Check and Auth claims for query function#1104

Open
cabljac wants to merge 1 commit into
mainfrom
docs/issue-686-appcheck
Open

docs(firestore-semantic-search): correct App Check and Auth claims for query function#1104
cabljac wants to merge 1 commit into
mainfrom
docs/issue-686-appcheck

Conversation

@cabljac

@cabljac cabljac commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes #686.

The firestore-semantic-search docs claimed the query Callable Function was "protected by App Check" and "requires that you are signed in with a Firebase Auth user". Neither is true:

  • queryIndex is registered as a plain functions.https.onCall(queryIndexHandler) with no App Check enforcement (enforceAppCheck / runWith).
  • queryIndexHandler(data) never inspects the auth context, so no Firebase Auth is required either.

This corrects the documentation to describe the actual behaviour rather than changing the function itself.

Changes

  • PREINSTALL.md / README.md: replace the "requires a signed-in Firebase Auth user" claim with an accurate description - the function does not enforce Auth or App Check by default, only ever returns document IDs (so Firestore Security Rules still protect document contents), and developers who want to lock down the endpoint should enable App Check enforcement and/or add their own auth checks.
  • POSTINSTALL.md: same correction to the "Example client integration" note.
  • Bumped extension version to 0.1.11 and added a CHANGELOG entry.

Notes

Scope is documentation only. Adding actual App Check / Auth enforcement to the callable would be a behavioural change and is left for a separate discussion. The related firestore-vector-search extension makes no App Check claim in its docs, so no correction was needed there.

The query Callable Function docs stated the endpoint was protected by
App Check and required a signed-in Firebase Auth user. Neither is
enforced: the function is registered as a plain onCall handler with no
App Check enforcement and the handler never inspects the auth context.

Update PREINSTALL, README, and POSTINSTALL to describe the actual
behaviour - the function is callable by any client, only ever returns
document IDs (so Firestore Security Rules still protect document
contents), and developers who need to restrict access should enable
App Check enforcement and/or add their own auth checks.

Fixes #686
@cabljac cabljac force-pushed the docs/issue-686-appcheck branch from f1963f8 to 81e1485 Compare July 2, 2026 10:15
@cabljac cabljac marked this pull request as ready for review July 2, 2026 10:18
@cabljac cabljac requested a review from CorieW July 2, 2026 13:13
## Example client integration

Now that you have an index with data in it, you can run text similarity search queries directly from your client application. Note that this Callable Function is protected by App Check and requires that you are signed in with a [Firebase Auth](https://firebase.google.com/docs/auth) call the Function from your client application.
Now that you have an index with data in it, you can run text similarity search queries directly from your client application. Note that this Callable Function does not enforce [App Check](https://firebase.google.com/docs/app-check) or [Firebase Auth](https://firebase.google.com/docs/auth) by default, so any client with your Firebase project configuration is able to call it. The function only ever returns document IDs (never document contents), so your Firestore Security Rules continue to govern access to the underlying documents. If you need to restrict access to the query function itself, enable App Check enforcement and/or add your own authentication checks.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if instead of declaring that it's not enforced, we just remove the text saying that it is enforced? The changelog can reflect the clarification. Outside of that, users wouldn't automatically assume that it is enforced, so it doesn't seem relevant to document that it's not enforced.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah that's fair

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

firestore-semantic-search - AppCheck missing?

2 participants