resolveWebProvider method
The web provider dreamic will pass to activate.
isDebug defaults to AppConfigBase.appCheckUseDebugProviders (real-vs-
debug per environment, NOT build mode); pass an explicit value in tests to
exercise both branches under the always-debug test runner. The site key
falls back to AppConfigBase.appCheckRecaptchaSiteKey when
webRecaptchaSiteKey is empty; an empty effective key keeps the keyless-web
guard (returns WebDebugProvider rather than throwing on a keyless release
web build).
Implementation
WebProvider resolveWebProvider({bool? isDebug}) {
final override = webProviderOverride;
if (override != null) return override;
final debug = isDebug ?? AppConfigBase.appCheckUseDebugProviders;
final key = webRecaptchaSiteKey.isNotEmpty
? webRecaptchaSiteKey
: AppConfigBase.appCheckRecaptchaSiteKey;
if (debug) {
return WebDebugProvider();
}
if (key.isEmpty) {
// Real attestation was intended (debug providers OFF) but no reCAPTCHA site
// key is configured — fall back to WebDebugProvider rather than letting the
// SDK throw "Missing required parameters: sitekey" on a keyless release web
// build. This is a MISCONFIGURATION on a real-attestation build: these
// tokens will NOT pass real App Check enforcement, so a server with
// APP_CHECK_ENFORCE=true rejects every call. Fail-soft but warn loudly
// (the failure is otherwise invisible until runtime rejection).
logw(
'AppCheck: real attestation is enabled (APP_CHECK_DEBUG=false) but no web '
'reCAPTCHA site key is configured (AppCheckConfig.webRecaptchaSiteKey and '
'APP_CHECK_RECAPTCHA_SITE_KEY are both empty) — falling back to '
'WebDebugProvider. These tokens will NOT pass real App Check enforcement; '
'set the reCAPTCHA site key for web release builds.',
);
return WebDebugProvider();
}
return webRecaptchaEnterprise
? ReCaptchaEnterpriseProvider(key)
: ReCaptchaV3Provider(key);
}