address PR comments

Author: lahirumaramba

firebase_admin/app_check.py

@@ -20,6 +20,7 @@
 from jwt import InvalidAudienceError, InvalidIssuerError, InvalidSignatureError
 from firebase_admin import _utils
 from firebase_admin import _http_client
+import requests
 
 _APP_CHECK_ATTRIBUTE = '_app_check'
 
@@ -49,6 +50,7 @@ class _AppCheckService:
 
     _APP_CHECK_ISSUER = 'https://firebaseappcheck.googleapis.com/'
     _JWKS_URL = 'https://firebaseappcheck.googleapis.com/v1/jwks'
+    _APP_CHECK_V1BETA_URL = 'https://firebaseappcheck.googleapis.com/v1beta'
     _project_id = None
     _scoped_project_id = None
     _jwks_client = None
@@ -73,7 +75,7 @@ def __init__(self, app):
             self._JWKS_URL, lifespan=21600, headers=self._APP_CHECK_HEADERS)
         self._http_client = _http_client.JsonHttpClient(
             credential=app.credential,
-            base_url='https://firebaseappcheck.googleapis.com/v1beta')
+            base_url=self._APP_CHECK_V1BETA_URL)
 
 
     def verify_token(self, token: str, consume: bool = False) -> Dict[str, Any]:
@@ -100,10 +102,13 @@ def verify_token(self, token: str, consume: bool = False) -> Dict[str, Any]:
 
     def _verify_replay_protection(self, token: str) -> bool:
         """Verifies the token's consumption status."""
-        path = f'/{self._scoped_project_id}:verifyAppCheckToken'
+        path = f'{self._scoped_project_id}:verifyAppCheckToken'
         body = {'app_check_token': token}
-        response = self._http_client.body('post', path, json=body)
-        return response.get('alreadyConsumed', False)
+        try:
+            response = self._http_client.body('post', path, json=body)
+            return response.get('alreadyConsumed', False)
+        except requests.exceptions.RequestException as error:
+            raise _utils.handle_platform_error_from_requests(error)
 
     def _has_valid_token_headers(self, headers: Any) -> None:
         """Checks whether the token has valid headers for App Check."""

tests/test_app_check.py

@@ -18,8 +18,9 @@
 
 from jwt import PyJWK, InvalidAudienceError, InvalidIssuerError
 from jwt import ExpiredSignatureError, InvalidSignatureError
+import requests
 import firebase_admin
-from firebase_admin import app_check
+from firebase_admin import app_check, exceptions
 from tests import testutils
 
 NON_STRING_ARGS = [[], tuple(), {}, True, False, 1, 0]
@@ -252,11 +253,30 @@ def test_verify_token_with_consume(self, mocker):
             assert payload == expected
             mock_http_client.return_value.body.assert_called_once_with(
                 'post',
-                f'/{SCOPED_PROJECT_ID}:verifyAppCheckToken',
+                f'{SCOPED_PROJECT_ID}:verifyAppCheckToken',
                 json={'app_check_token': 'encoded'})
         finally:
             firebase_admin.delete_app(app)
 
+    def test_verify_token_with_consume_network_error(self, mocker):
+        """Test verify_token with consume=True handles network errors."""
+        mocker.patch("jwt.decode", return_value=JWT_PAYLOAD_SAMPLE)
+        mocker.patch("jwt.PyJWKClient.get_signing_key_from_jwt", return_value=PyJWK(signing_key))
+        mocker.patch("jwt.get_unverified_header", return_value=JWT_PAYLOAD_SAMPLE.get("headers"))
+        mock_http_client = mocker.patch("firebase_admin._http_client.JsonHttpClient")
+        mock_http_client.return_value.body.side_effect = requests.exceptions.RequestException("Network error")
+        
+        # Use a fresh app to ensure _AppCheckService is re-initialized with the mock
+        cred = testutils.MockCredential()
+        app = firebase_admin.initialize_app(cred, {'projectId': PROJECT_ID}, name='test_consume_error')
+
+        try:
+            with pytest.raises(exceptions.UnknownError) as excinfo:
+                app_check.verify_token("encoded", app, consume=True)
+            assert str(excinfo.value) == "Unknown error while making a remote service call: Network error"
+        finally:
+            firebase_admin.delete_app(app)
+
     def test_verify_token_with_non_list_audience_raises_error(self, mocker):
         jwt_with_non_list_audience = JWT_PAYLOAD_SAMPLE.copy()
         jwt_with_non_list_audience["aud"] = '1234'