Firestore - token doesn't update in the Firestore Rules #1499

sanks · 2018-07-06T13:55:31Z

Xcode version: 9.4.1
Firebase SDK version: 5.4.0
Firebase Component: Firestore
Component version: 0.12.5

The problem

After setup custom claims for a user through the Cloud Functions - the token (and custom claims together with it) weren't updated in Firestore Rules.

Even after calling getIDTokenForcingRefresh(true) the Rule doesn't allow to get a document. However, in the app, I see that the token was updated and contains my custom claim.

Only sign out and sign in again helps. But it's not good for the user...

The problem is exactly and only with Firestore Rules section. I checked the Storage Rules section with the similar rules - and the token/custom claims were updated here. Also, I checked the Cloud Functions context - the token/custom claims were updated here as well.

Steps to reproduce:

Setup Firestore rules based on custom claims.
Update user's custom claims through a Firebase Function
Call getIDTokenForcingRefresh(true)
Try to get a document that should be available only for the user with the certain custom claim.
Unable to get the document because of lack of permissions

Relevant Code:

Firestore Rules:

service cloud.firestore {
    match /databases/{database}/documents {
        match /items/{itemId} {
            allow read: if request.auth.token.customField == true;
        }
    }
}

Cloud Function:

const myFunction = function (data, context) {
    return FirebaseAdmin.auth().setCustomUserClaims(uid, {
	customField: true
    });
}

Function call and token refresh

functions.httpsCallable("my-function").call() { (result, error) in
    if let error = error {
        debugPrint(error)
        return
    }
    Auth.auth().currentUser?.getIDTokenResult(forcingRefresh: true, completion: { (result, error) in
        debugPrint(result?.claims["customField"]) // equals to true here, but...
        db.document("items/1").getDocument { (document, error) in
            debugPrint(document.documentID) // nil
            debugPrint(document.exists) // false
            // but the document exists in the Firestore for sure 
            // and if disable firestore rule or sign-out and sign-in again it works
        }
    })
}

The text was updated successfully, but these errors were encountered:

morganchen12 · 2018-07-11T19:08:13Z

@sanks instead of signing out and signing back in, are you able to work around this by reloading the user?

sanks · 2018-07-12T04:50:19Z

@morganchen12 no, reloading user doesn't help as well.

mikelehen · 2018-07-12T14:34:54Z

This is a known issue. Right now the Firestore SDK ignores token changes if the uid doesn't change. We likely need to rework the code here:

firebase-ios-sdk/Firestore/core/src/firebase/firestore/auth/firebase_credentials_provider_apple.mm

Line 61 in 49f2493

if (new_user != contents->current_user) {

Sorry for the inconvenience! For now, signing out / back-in is the only workaround.

See firebase/firebase-ios-sdk#1499 This reworks our UserListener into a CredentialChangeListener which fires on any token change, even if the User did not change. This allows us to restart our streams (but not switch mutation queues, etc.) on token changes.

[Port of firebase/firebase-js-sdk#1120] Fixes #1499. This reworks our "user listener" into a "credential change listener" that fires on any token change, even if the User did not change. This allows us to restart our streams (but not switch mutation queues, etc.) on token changes.

* firebase-ios-sdk/1499: Restart streams on any token change. See firebase/firebase-ios-sdk#1499 This reworks our UserListener into a CredentialChangeListener which fires on any token change, even if the User did not change. This allows us to restart our streams (but not switch mutation queues, etc.) on token changes.

sanks changed the title ~~Firestore - custom claims don't update in rules~~ Firestore - token doesn't update in the Firestore Rules Jul 6, 2018

paulb777 added the api: firestore label Jul 6, 2018

mikelehen mentioned this issue Aug 14, 2018

firebase-ios-sdk/1499: Restart streams on any token change. firebase/firebase-js-sdk#1120

Merged

mikelehen mentioned this issue Aug 14, 2018

firebase-ios-sdk/1499: Restart streams on any token change. #1692

Merged

paulb777 added this to the M32 milestone Aug 14, 2018

mikelehen closed this as completed in #1692 Aug 15, 2018

firebase locked and limited conversation to collaborators Oct 30, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Firestore - token doesn't update in the Firestore Rules #1499

Firestore - token doesn't update in the Firestore Rules #1499

sanks commented Jul 6, 2018

morganchen12 commented Jul 11, 2018

sanks commented Jul 12, 2018 •

edited

mikelehen commented Jul 12, 2018

Firestore - token doesn't update in the Firestore Rules #1499

Firestore - token doesn't update in the Firestore Rules #1499

Comments

sanks commented Jul 6, 2018

The problem

Steps to reproduce:

Relevant Code:

morganchen12 commented Jul 11, 2018

sanks commented Jul 12, 2018 • edited

mikelehen commented Jul 12, 2018

sanks commented Jul 12, 2018 •

edited