New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firestore Emulator Security Rule request.auth
is always null even after authed
#5072
Comments
@mono0926 thank you for the extremely detailed bug report, this feels like a bug but I'm not sure at the moment if it's a bug in the iOS SDK or if it's a bug in the emulator(s). |
Anything I can do to help further debugging this? It's a letdown not being able to test my app against the emulator suite |
I'm running into this issue as well. In order to test iOS against the emulator I have to change rules to allow all ( |
@renkelvin can you take a moment to check if this is an SDK bug or an emulator bug? |
@morganchen12 looks like an issue related to Firestore, not Auth. |
@renkelvin it could be related to both. Firestore needs to ask Auth for the token and Auth needs to provide one, then Firestore sends it along to the emulator and the emulator unpacks it. I can confirm this works on Android and the Web so it's certainly something within the iOS SDK |
@wilhuff Any suggestions for how to debug? It's not obvious how to determine where |
The Firestore client never sets this error code directly unless we encounter e.g. a filesystem operation with an It's definitely possible that Firestore is failing to attach the credentials in some way, though this working in production but not against the emulator seems suspicious. The best path forward is to enable debug logging in Firestore and look at all the lines relating to the current user. We log when initializing or the current identity changes. You can observe what Firestore is sending with gRPC tracing. Set these environment variables: Alternatively, you could set a breakpoint in |
Still digging into it, but definite differences in the logs with the GRPC environment variables turned on: Emulator log
Non-emulator log
|
@wilhuff The token looks correct at the suggested breakpoint. The "Connection refused" problem happens later in the bowels of gRPC
|
The two versions diverge at the The success case returns 0 in |
@paulb777 are you actually running an emulator on your local host, port 8080 while trying to reproduce this? Getting a connection refused there seems wholly disconnected from the underlying issue here. For a quick way to run the emulator just call |
I was running with the emulator bundled in the bug report. With the emulator from the repo, the first call to Correct behavior seems to depend on using version 1.10.4 of the emulator (or something else in |
Removing the |
My comment above about the emulator version mattering can be disregarded. I was confused about how the emulator works. If I modify |
I pulled the reproduction up under the debugger and I can see that Firestore is setting the credential but gRPC isn't sending it. While it's possible there's something I'm not seeing here, the next step is to upgrade gRPC and see if the issue persists. We're quite a ways behind. |
Still the same issue after commenting out the downversion lock in the podspec:
|
After some research, this is essentially the same issue as reported in grpc/grpc-node#543 (there may be a more canonical issue for this but the discussion there highlights the issue). The gRPC C core is discarding the credential because we're connecting the emulator over an unencrypted channel. I'll cook up a workaround. |
@wilhuff thanks for investigating! FWIW Android sends the credentials properly so may be able to look at what happens over there. |
Android sets the |
This fix will go out with the next release (in a few weeks--there's a release that's coming out imminently that was cut well before this fix landed). |
[REQUIRED] Step 1: Describe your environment
CocoaPods
[REQUIRED] Step 2: Describe the problem
Firestore Emulator Security Rule
request.auth
is always null even after authed.I tried it on Android project/emulator, and it works fine, so I suspect it is iOS SDK's bug.
Steps to reproduce:
I created the reproduced project: https://github.com/mono0926/firestore-emulator-sample
1. Prepare Firestore Emulator
Execute this:
git clone https://github.com/mono0926/firestore-emulator-sample.git cd firestore-emulator-sample/firebase firebase emulators:start
If you create your own Firebase project, these steps are needed:
Enable Anonymous Auth:
Enable Firestore:
2. Run iOS application
Execute this:
cd firestore-emulator-sample/iOS/ pod install open EmulatorSample.xcworkspace
And Run app on iOS simulator, and push the button:
The error log will be output:
Relevant Code:
Security Rule
This security rule allows
/users/{userId}
get
only ifrequest.auth != null
https://github.com/mono0926/firestore-emulator-sample/blob/633cd0d48c8b6eaf228d1fb3f978420df1fc4e6d/firebase/firestore.rules#L5
iOS initialization
At
didFinishLaunchingWithOptions
, set to connect to Firestore emulator.https://github.com/mono0926/firestore-emulator-sample/blob/633cd0d48c8b6eaf228d1fb3f978420df1fc4e6d/iOS/EmulatorSample/AppDelegate.swift#L20-L24
iOS logic
Auth.auth().signInAnonymously
Firestore.firestore().collection("users").document(uid).getDocument()
https://github.com/mono0926/firestore-emulator-sample/blob/32f5c5bdf59eba8098c3bede21c6da430568b799/iOS/EmulatorSample/ViewController.swift#L19-L39
This should succeed without any errors because the user is authed and firestore security rule only checks
request.auth != null
and this condition is satisfied.If setting to connect to emulator codes is commented out, the app will connect to real Firestore backend(same security rule deployed), and it works as expected.
The text was updated successfully, but these errors were encountered: