-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't verify auth token on public endpoints #1557
Comments
I found a few problems with this issue:
|
Hey @AlexJetplan you need to set the invoker to public to allow the function to serve public requests. You can put it directly in the options object where you specify cors (or alternatively in the global options for all funcitons): export const heartbeat = onRequest({ cors: true, invoker: "public" }, (request, response) => {
const data = {
isConnected: true,
timestamp: new Date().getTime(),
}
response.json({ data })
}) Thanks |
Hey, my apologies, I posted the wrong sample code, the issue was in regards to The issue also isn't that it isn't publicly available, the issue is that it is accessible by anybody but at the same time if you provide an invalid token it will reject the request. I have updated the issue with the code that won't work, my apologies! |
Hey @AlexJetplan. How are you invoking this function? Via an HTTPS request? |
Hey! In our app we are invoking it using the firebase sdk, but for you to reproduce the issue more easily you can just use a regular https client like postman or curl or whatever you want, anything will work. The important bit is that you have to send a request that has the |
[REQUIRED] Version info
node:
v18.19.0
firebase-functions:
4.9.0
firebase-tools:
13.5.2
firebase-admin:
12.0.0
[REQUIRED] Test case
[REQUIRED] Steps to reproduce
Auhtorization
headerAuthroization
header[REQUIRED] Expected behavior
Since it's a public endpoint it should always return a response, no matter if the token is provided, valid, or invalid. I have had cases in the past where the js SDK would cause the token to become invalid and users couldn't access public endpoints anymore, one of which was a heartbeat endpoint to make sure the user is still connected.
[REQUIRED] Actual behavior
The request is rejected when you provide an auth header with an invalid token.
Were you able to successfully deploy your functions?
Yes
The text was updated successfully, but these errors were encountered: