Re-establish streams when App Check token expires. (#5902)

* Re-establish streams when App Check token expires. * Create happy-badgers-leave.md * Better patch message. * better patch message. * address comments. * Remove outdated comment. * Update packages/firestore/src/core/firestore_client.ts Co-authored-by: Sebastian Schmidt <mrschmidt@google.com> Co-authored-by: Sebastian Schmidt <mrschmidt@google.com>
firebase · Jan 26, 2022 · e28b0e4 · e28b0e4
1 parent 2820674
commit e28b0e4
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/.changeset/happy-badgers-leave.md b/.changeset/happy-badgers-leave.md
@@ -0,0 +1,7 @@
+---
+"@firebase/firestore": patch
+---
+
+Fixed an AppCheck issue that caused Firestore listeners to stop working and
+receive a "Permission Denied" error. This issue only occurred for AppCheck users
+that set their expiration time to under an hour.
diff --git a/packages/firestore/src/core/firestore_client.ts b/packages/firestore/src/core/firestore_client.ts
@@ -99,6 +99,10 @@ export class FirestoreClient {
   private readonly clientId = AutoId.newId();
   private authCredentialListener: CredentialChangeListener<User> = () =>
     Promise.resolve();
+  private appCheckCredentialListener: (
+    appCheckToken: string,
+    user: User
+  ) => Promise<void> = () => Promise.resolve();
 
   offlineComponents?: OfflineComponentProvider;
   onlineComponents?: OnlineComponentProvider;
@@ -122,8 +126,10 @@ export class FirestoreClient {
       await this.authCredentialListener(user);
       this.user = user;
     });
-    // Register an empty credentials change listener to activate token refresh.
-    this.appCheckCredentials.start(asyncQueue, () => Promise.resolve());
+    this.appCheckCredentials.start(asyncQueue, newAppCheckToken => {
+      logDebug(LOG_TAG, 'Received new app check token=', newAppCheckToken);
+      return this.appCheckCredentialListener(newAppCheckToken, this.user);
+    });
   }
 
   async getConfiguration(): Promise<ComponentConfiguration> {
@@ -142,6 +148,12 @@ export class FirestoreClient {
     this.authCredentialListener = listener;
   }
 
+  setAppCheckTokenChangeListener(
+    listener: (appCheckToken: string, user: User) => Promise<void>
+  ): void {
+    this.appCheckCredentialListener = listener;
+  }
+
   /**
    * Checks that the client has not been terminated. Ensures that other methods on
    * this class cannot be called after the client is terminated.
@@ -234,6 +246,9 @@ export async function setOnlineComponentProvider(
   client.setCredentialChangeListener(user =>
     remoteStoreHandleCredentialChange(onlineComponentProvider.remoteStore, user)
   );
+  client.setAppCheckTokenChangeListener((_, user) =>
+    remoteStoreHandleCredentialChange(onlineComponentProvider.remoteStore, user)
+  );
   client.onlineComponents = onlineComponentProvider;
 }