Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firestore - token doesn't update in the Firestore Rules #1499

Closed
sanks opened this issue Jul 6, 2018 · 3 comments
Closed

Firestore - token doesn't update in the Firestore Rules #1499

sanks opened this issue Jul 6, 2018 · 3 comments
Milestone

Comments

@sanks
Copy link

@sanks sanks commented Jul 6, 2018

  • Xcode version: 9.4.1
  • Firebase SDK version: 5.4.0
  • Firebase Component: Firestore
  • Component version: 0.12.5

The problem

After setup custom claims for a user through the Cloud Functions - the token (and custom claims together with it) weren't updated in Firestore Rules.

Even after calling getIDTokenForcingRefresh(true) the Rule doesn't allow to get a document. However, in the app, I see that the token was updated and contains my custom claim.

Only sign out and sign in again helps. But it's not good for the user...

The problem is exactly and only with Firestore Rules section. I checked the Storage Rules section with the similar rules - and the token/custom claims were updated here. Also, I checked the Cloud Functions context - the token/custom claims were updated here as well.

Steps to reproduce:

  1. Setup Firestore rules based on custom claims.
  2. Update user's custom claims through a Firebase Function
  3. Call getIDTokenForcingRefresh(true)
  4. Try to get a document that should be available only for the user with the certain custom claim.
  5. Unable to get the document because of lack of permissions

Relevant Code:

Firestore Rules:

service cloud.firestore {
    match /databases/{database}/documents {
        match /items/{itemId} {
            allow read: if request.auth.token.customField == true;
        }
    }
}

Cloud Function:

const myFunction = function (data, context) {
    return FirebaseAdmin.auth().setCustomUserClaims(uid, {
	customField: true
    });
}

Function call and token refresh

functions.httpsCallable("my-function").call() { (result, error) in
    if let error = error {
        debugPrint(error)
        return
    }
    Auth.auth().currentUser?.getIDTokenResult(forcingRefresh: true, completion: { (result, error) in
        debugPrint(result?.claims["customField"]) // equals to true here, but...
        db.document("items/1").getDocument { (document, error) in
            debugPrint(document.documentID) // nil
            debugPrint(document.exists) // false
            // but the document exists in the Firestore for sure 
            // and if disable firestore rule or sign-out and sign-in again it works
        }
    })
}
@sanks sanks changed the title Firestore - custom claims don't update in rules Firestore - token doesn't update in the Firestore Rules Jul 6, 2018
@morganchen12
Copy link
Contributor

@morganchen12 morganchen12 commented Jul 11, 2018

@sanks instead of signing out and signing back in, are you able to work around this by reloading the user?

@sanks
Copy link
Author

@sanks sanks commented Jul 12, 2018

@morganchen12 no, reloading user doesn't help as well.

@mikelehen
Copy link
Contributor

@mikelehen mikelehen commented Jul 12, 2018

This is a known issue. Right now the Firestore SDK ignores token changes if the uid doesn't change. We likely need to rework the code here:

Sorry for the inconvenience! For now, signing out / back-in is the only workaround.

mikelehen pushed a commit to firebase/firebase-js-sdk that referenced this issue Aug 14, 2018
See firebase/firebase-ios-sdk#1499

This reworks our UserListener into a CredentialChangeListener which
fires on any token change, even if the User did not change. This allows
us to restart our streams (but not switch mutation queues, etc.) on token
changes.
mikelehen pushed a commit that referenced this issue Aug 14, 2018
[Port of firebase/firebase-js-sdk#1120]

Fixes #1499.

This reworks our "user listener" into a "credential change listener" that
fires on any token change, even if the User did not change. This allows
us to restart our streams (but not switch mutation queues, etc.) on token
changes.
@paulb777 paulb777 added this to the M32 milestone Aug 14, 2018
mikelehen added a commit that referenced this issue Aug 15, 2018
[Port of firebase/firebase-js-sdk#1120]

Fixes #1499.

This reworks our "user listener" into a "credential change listener" that
fires on any token change, even if the User did not change. This allows
us to restart our streams (but not switch mutation queues, etc.) on token
changes.
mikelehen added a commit to firebase/firebase-js-sdk that referenced this issue Aug 15, 2018
* firebase-ios-sdk/1499: Restart streams on any token change.

See firebase/firebase-ios-sdk#1499

This reworks our UserListener into a CredentialChangeListener which
fires on any token change, even if the User did not change. This allows
us to restart our streams (but not switch mutation queues, etc.) on token
changes.
@firebase firebase locked and limited conversation to collaborators Oct 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

4 participants