🐛 [N/A] Unclear exception message when GCP Project ACLs do not permit access and throws `Unhandled Exception: FormatException: Invalid envelope` exception

[zmeggyesi]

Bug report

Describe the bug
GCP Project ACLs are not tied directly to the Firebase project, and a desync between the two can create a situation where Firebase calls fail for no apparent reason, and with no clear exception message.

Steps to reproduce

Steps to reproduce the behavior:

1. Complete Firebase SDK setup
2. Set up a set of credentials in GCP
3. Restrict GCP credentials to limited set of APIs
4. Restrict GCP credentials to a single platform (iOS or Android, should not matter)
5. DO NOT specify a package signature, or specify an incorrect one
6. See error or incorrect behavior

Expected behavior

I expect the exception thrown by the Firebase SDK to shed light on the nature of the error, or at least not misdirect me.

Sample project

N/A

---

Additional context

Continuation of #6993.

Although it's the Firebase SDK throwing the error, it's not actually the Firebase SDK that's at fault, nor is it Firebase itself. The problem originates in GCP, which has a separate ACL for the Firebase APIs, including Firebase Remote Config API (though I suspect the Installations API might also play a part, or any of the other Firebase APIs), and because the new package signature was not added in the GCP Credentials ACL, my requests were discarded with an error. This error was, however, not surfaced to me at any point.

So the problem in the referenced issue was not with Firebase itself, but how this particular scenario is communicated to the developer. Because there's a package signature filter both on the Firebase Console (which I remembered to update) and on the GCP Console (which I didn't), this looks more like a UX/architecture issue - which makes it all the thornier and harder to resolve.
My humble recommendation, without being aware of the internals, would be to present the developer with a more specific error message that indicates why the request failed. I realize there is a difficulty in differentiating a request that fails due to the Firebase ACL from one that fails due to GCP's ACL, but I believe it would be important to distinguish between the two.

---

Flutter doctor

Run flutter doctor and paste the output below:

Click To Expand

$ flutter doctor
Doctor summary (to see all details, run flutter doctor -v):
[√] Flutter (Channel stable, 2.5.3, on Microsoft Windows [Version 10.0.22000.348], locale hu-HU)
[√] Android toolchain - develop for Android devices (Android SDK version 31.0.0)
[√] Chrome - develop for the web
[√] Android Studio (version 2020.3)
[√] IntelliJ IDEA Community Edition (version 2021.2)
[√] VS Code (version 1.62.3)
[√] Connected device (3 available)

• No issues found!

---

Flutter dependencies

Run flutter pub deps -- --style=compact and paste the output below:

Click To Expand

firebase_core: 1.10.0
firebase_crashlytics: 2.3.0
firebase_analytics: 8.3.4
firebase_auth: 3.2.0
firebase_remote_config: 0.11.0+2
firebase_storage: 10.1.0

---

[darshankawar]

@zmeggyesi
Thanks for the detailed report, Flutterfire plugins are just wrappers around Firebase SDKs so I am not sure if this would be handled in flutterfire plugins repo. Have you reached out to firebase support on this to see if they have anything on it ?

[zmeggyesi]

@darshankawar Good point, I'll reach out to Firebase support as well. My first thought was that as a Google team, the Firebase SDK team would be in a better position to coordinate with other internal resources.

Allow me to take that first step at Firebase support, and come back with their comments.

[zmeggyesi]

@darshankawar So I had an exchange with Firebase support, and based on a suggestion by one of their developers, I tested the same scenario, but using the Android SDK directly, in a plain old Android app. You can take a look at the minimalist implementation for both Flutter and Android here.

As it turns out, when using the Android SDK directly, I get a different exception indeed:

W/Firebase-Installations: Error when communicating with the Firebase Installations server API. HTTP response: [403 Forbidden: {
      "error": {
        "code": 403,
        "message": "Requests from this Android client application hu.skawa.skunkworks.firebase_acl_demo are blocked.",
        "status": "PERMISSION_DENIED",
        "details": [
          {
            "@type": "type.googleapis.com/google.rpc.ErrorInfo",
            "reason": "API_KEY_ANDROID_APP_BLOCKED",
            "domain": "googleapis.com",
            "metadata": {
              "consumer": "projects/559459207337",
              "service": "firebaseinstallations.googleapis.com"
            }
          }
        ]
      }
    }
    ]
W/Firebase-Installations: Firebase options used while communicating with Firebase server APIs: AIzaSyAmVWo9RKnFODB9mhcLAirxPE5W82DrvyU, graphite-disk-333908-ed6b9, 1:559459207337:android:324ccf9388bc5b51f081b8
E/Firebase-Installations: Firebase Installations can not communicate with Firebase server APIs due to invalid configuration. Please update your Firebase initialization process and set valid Firebase options (API key, Project ID, Application ID) when initializing Firebase.

(Nota Bene: I purposely entered a bad signature in my GCP project, just for testing)

While for Flutter, the corresponding exception is

E/flutter (26572): [ERROR:flutter/lib/ui/ui_dart_state.cc(209)] Unhandled Exception: FormatException: Invalid envelope
E/flutter (26572): #0      convertPlatformException (package:firebase_remote_config_platform_interface/src/method_channel/utils/exception.dart:10:5)
E/flutter (26572): #1      MethodChannelFirebaseRemoteConfig.fetchAndActivate (package:firebase_remote_config_platform_interface/src/method_channel/method_channel_firebase_remote_config.dart:156:13)
E/flutter (26572): <asynchronous suspension>
E/flutter (26572): #2      RemoteConfig.fetchAndActivate (package:firebase_remote_config/src/remote_config.dart:87:26)
E/flutter (26572): <asynchronous suspension>
E/flutter (26572): 

This actually points me towards the FlutterFire plugins, probably somewhere around the core exception handling, as the cause.

Let me know if there's anything else I can assist the process with. If you require access to the GCP project, I can add whoever you specify - the project was created specifically for this demo and has no sensitive data.

[darshankawar]

Thanks for digging in and coming back with the details. I looked at the flutter exception being thrown and it does seem to point to flutterfire code and specifically throwing Unhandled Exception: FormatException: Invalid envelope which could mean an edge case that may need to be handled.

I also see below similar issues reported the same exception, but they all got closed without any concrete solutions. A PR was raised by team member to address it but got closed.
#5958
#6993

Based on above findings and the exceptions received in Flutter as compared on native, I am going ahead and labeling it and for team's radar.