Don't verify auth token on public endpoints #1557
Comments
|
I found a few problems with this issue:
|
|
Hey @AlexJetplan you need to set the invoker to public to allow the function to serve public requests. You can put it directly in the options object where you specify cors (or alternatively in the global options for all funcitons): export const heartbeat = onRequest({ cors: true, invoker: "public" }, (request, response) => {
const data = {
isConnected: true,
timestamp: new Date().getTime(),
}
response.json({ data })
})Thanks |
Hey, my apologies, I posted the wrong sample code, the issue was in regards to The issue also isn't that it isn't publicly available, the issue is that it is accessible by anybody but at the same time if you provide an invalid token it will reject the request. I have updated the issue with the code that won't work, my apologies! |
|
Hey @AlexJetplan. How are you invoking this function? Via an HTTPS request? |
exaby73
added
Needs: Author Feedback
Hey! In our app we are invoking it using the firebase sdk, but for you to reproduce the issue more easily you can just use a regular https client like postman or curl or whatever you want, anything will work. The important bit is that you have to send a request that has the |
google-oss-bot
added
Needs: Attention
and removed
Needs: Author Feedback
|
Is there a use case where you need to send an invalid token to a public endpoint? I feel like this can be solved by omitting the token from the client if I am not wrong |
exaby73
added
Needs: Author Feedback
If you are using the firebase sdk you don't have control over the header being emitted or not. You simply just do: functions.httpsCallable('functionName')() |
google-oss-bot
added
Needs: Attention
and removed
Needs: Author Feedback
|
Just to understand your case better, is the SDK sending an invalid auth header? |
exaby73
added
Needs: Author Feedback
Yes the sdk is sending an invalid auth header. They are invalid in the sense that the auth token probably expired. So it's not the formatting that's invalid, it's the token itself. |
|
Hey @AlexJetplan. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically. If you have more information that will help us get to the bottom of this, just add a comment! |
|
bump |
google-oss-bot
added
Needs: Attention
and removed
Needs: Author Feedback
[REQUIRED] Version info
node:
v18.19.0
firebase-functions:
4.9.0
firebase-tools:
13.5.2
firebase-admin:
12.0.0
[REQUIRED] Test case
[REQUIRED] Steps to reproduce
AuhtorizationheaderAuthroizationheader[REQUIRED] Expected behavior
Since it's a public endpoint it should always return a response, no matter if the token is provided, valid, or invalid. I have had cases in the past where the js SDK would cause the token to become invalid and users couldn't access public endpoints anymore, one of which was a heartbeat endpoint to make sure the user is still connected.
[REQUIRED] Actual behavior
The request is rejected when you provide an auth header with an invalid token.
Were you able to successfully deploy your functions?
Yes
The text was updated successfully, but these errors were encountered: