Skip to content

Auth Emulator and createSessionCookie /validDuration should be string #2770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
royletron opened this issue Nov 2, 2020 · 7 comments
Closed

Auth Emulator and createSessionCookie /validDuration should be string #2770

royletron opened this issue Nov 2, 2020 · 7 comments
Labels
emulator-suite emulators: auth

Comments

@royletron
Copy link

[REQUIRED] Environment info

firebase-tools:8.14.1

Platform:macOS

[REQUIRED] Test case

const expiresIn = 60 * 60 * 24 * 5 * 1000;
const idToken = '<TOKEN FOUND USING auth().currentUser.getIdToken() ON CLIENT>'
await auth().createSessionCookie(idToken, {
  expiresIn
});

[REQUIRED] Steps to reproduce

This is using firebase-admin on an express backed server, with a front end using firebase and firebase/auth. These are all connected to the firebase emulator running both firestore and the new auth. You'll need to get an ID token for a user (not sure if it has to be valid or not), and then pass this to the createSessionCookie example above. It should fail with the error Invalid JSON payload received. /validDuration should be string. This doesn't happen if I connect to a live Firebase project, only when using the emulator.

[REQUIRED] Expected behavior

That we receive a cookie that we can send back to the client.

[REQUIRED] Actual behavior

{ Error: An internal error has occurred. Raw server response: "{"error":{"code":400,"message":"Invalid JSON payload received. /validDuration should be string","errors":[{"message":"Invalid JSON payload received. /validDuration should be string","reason":"invalid","domain":"global"}],"status":"INVALID_ARGUMENT"}}"
     at FirebaseAuthError.FirebaseError [as constructor] (/Users/redacted-project-path/node_modules/firebase-admin/lib/utils/error.js:43:28)
     at FirebaseAuthError.PrefixedFirebaseError [as constructor] (/Users/redacted-project-path/node_modules/firebase-admin/lib/utils/error.js:89:28)
     at new FirebaseAuthError (/Users/redacted-project-path/node_modules/firebase-admin/lib/utils/error.js:148:16)
     at Function.FirebaseAuthError.fromServerError (/Users/redacted-project-path/node_modules/firebase-admin/lib/utils/error.js:187:16)
     at /Users/redacted-project-path/node_modules/firebase-admin/lib/auth/auth-api-request.js:1510:49
     at process._tickCallback (internal/process/next_tick.js:68:7)
   errorInfo:
    { code: 'auth/internal-error',
      message:
       'An internal error has occurred. Raw server response: "{"error":{"code":400,"message":"Invalid JSON payload received. /validDuration should be string","errors":[{"message":"Invalid JSON payload received. /validDuration should be string","reason":"invalid","domain":"global"}],"status":"INVALID_ARGUMENT"}}"' },
   codePrefix: 'auth' }
@samtstern
Copy link
Contributor

@royletron where is your express server running? Right now the Admin SDK only accepts emulated ID Tokens when running inside of the Cloud Functions emulator. This is a decision we made for security reasons, although we are open to reconsidering this based on developer feedback.

@royletron
Copy link
Author

@samtstern express is just running locally not inside the functions emulator. In prod we run a server on CloudRun so this is more related to our use case

@samtstern
Copy link
Contributor

@royletron ok thanks for clarifying. Right now there's not much you can do about this ... we'd like to expand the situations where we can support verifying emulated tokens but we're still debating the right way to do that.

@samtstern
Copy link
Contributor

@royletron this feature request is being tracked over here: #2764

I'm going to close this one so we can focus the discussion in one thread.

@samtstern samtstern mentioned this issue Nov 5, 2020
Closed
@andymatuschak
Copy link

andymatuschak commented Nov 7, 2020
edited
Loading

@samtstern I think this is a real issue, actually! I'm encountering it even though I'm executing createSessionCookie inside the function emulator. So I dug in, and I believe the validation schema is wrong. The auth emulator validation schema specifies validationDuration as a string, but firebase-admin-node constructs it as a number.

I note that the OpenAPI schema for createSessionCookie specifies the parameter as "string (int64 format)". If that means it's meant to be a string-encoded int64, then this is really a firebase-admin-node bug, although clearly the production auth server is accepting numbers for this parameter.

@samtstern samtstern mentioned this issue Nov 9, 2020
Closed
@samtstern
Copy link
Contributor

@andymatuschak thanks for digging into that! Filed: firebase/firebase-admin-node#1084

muru added a commit to muru/firebase-admin-python that referenced this issue Feb 5, 2021
@muru
Make token expiration a string
304245d 
According to firebase/firebase-tools#2770 (comment)
`validationDuration` should be a string. The production environment also
accepts numbers, but the emulator does not.

Related: firebase/firebase-admin-node#1084
muru added a commit to muru/firebase-admin-python that referenced this issue Feb 5, 2021
@muru
Make token expiration a string
e33f7c4 
According to firebase/firebase-tools#2770 (comment)
`validationDuration` should be a string. The production environment also
accepts numbers, but the emulator does not.

Related: firebase/firebase-admin-node#1084
@yuchenshi
Copy link
Member

As of Firebase CLI v9.3.0, creating session cookie is now supported and we've also added coercion from number to string similar to production behavior (hat tip to @andymatuschak). Note that you need Node.js Admin SDK v9.5.0 to verify these cookies properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
emulator-suite emulators: auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andymatuschak @royletron @samtstern @yuchenshi