OPTIONS installations/***/authTokens:generate request causes CORS error

[ctavan]

Describe your environment

• Operating System version: macOS 10.14
• Browser version: Any (e.g. Chrome 79)
• Firebase SDK version: firebase@7.6.1
• Firebase Product: analytics

Describe the problem

I believe this is the same issue that others are observing in #2364 (comment)

I seem to be running into an edge case where the OPTIONS request to https://firebaseinstallations.googleapis.com/v1/projects/***/installations/***/authTokens:generate results in a CORS error.

Here's the situation: I have a firebase web app running since quite a while.

If I visit my web app with a new incognito window then a successful POST request to https://firebaseinstallations.googleapis.com/v1/projects/***/installations is issued:

Resulting in an IndexedDB entry that looks like this:

All good in that case!

However, in my regular browser I have an issue. I cannot reproduce how the browser got into the current state, but the firebase-installations-store table in the local IndexedDB looks like this:

I believe the relevant part is the empty authToken. This will result in an OPTIONS request to https://firebaseinstallations.googleapis.com/v1/projects/***/installations/***/authTokens:generate which results in a 403 response and (since no CORS-headers are present) in a CORS error printed to the Chrome console:

Access to fetch at 'https://firebaseinstallations.googleapis.com/v1/projects/***/installations/***/authTokens:generate' from origin 'https://mydomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I am not sure whether this is an issue on the server side or in the client code that does not gracefully handle the CORS error. But since others seem to be reporting this recently, I believe it should be investigated.

Steps to reproduce:

I have a hard time reproducing the issue since it depends on the contents of the local IndexedDB, see above.

Relevant Code:

See above.

[GoktuqCan]

Thank you @ctavan . I am having the same issue and i think its irrelevant to OS.

• Operating System version: Ubuntu 18.04.3 LTS
• Browser version: Version 79.0.3945.88 (Official Build) (64-bit)
• Firebase SDK version: 7.6.0
• Firebase Product: messaging

I don't have this problem with my MacOS Chrome and Opera browser in Ubuntu.(In these i didn't use the app quite a while)
I think problem is about, as you mentioned, IndexedDB.
Under fcm_token_details_db and under that fcm_token_object_Store below are having records in Opera and not in Chrome.

• fcmSenderId
• fcmToken

In rest of the databases both browsers are having records.

[GoktuqCan]

I have different users(and of course they have different instances) for Chrome. Both were having this issue. So i deleted firebase databases from one of them. Problem is gone for that one and receiving FCM token. But issue remains for the other one.
I am sure this beacuse of the previous records in IndexedDB.

[mmermerkaya]

Thanks for the detailed description. Unfortunately I can't reproduce this, even when (force) calling the authTokens:generate API. It just completes successfully, or if I pass in a wrong parameter it fails, but still responds with the proper CORS headers. 😕

@rommelpe could you take a look as well?

[ctavan]

@mmermerkaya how could I try force calling authTokens:generate on my own? As stated in the bug report it depends on the contents of the IndexedDB, so I could try to call this in my affected browser profile as well.

[GoktuqCan]

@mmermerkaya I just checked which version i started to use this sdk. first npm version was 5.7.0. Maybe you can get token with that version and update to 6.x.x get token again and then 7.6.x.
I think this can reproduce problem.

[mmermerkaya]

@ctavan This should do it:

import firebase from "firebase/app";
import "firebase/installations";

const app = firebase.initializeApp({/* your config */});

const installations = app.installations();
installations.getToken(/* forceRefresh= */ true);

Installations SDK reference docs can be found here.

@GoktuqCan Thanks! I'll try that.

[VitaliP]

Hi I have the same issue and to be honest its a huge problem now as I get a lot of support requests from users.

On Friday/Saturday, it stopped working
I tried installations.getToken(/* forceRefresh= */ true);

same error Access to fetch at 'https://firebaseinstallations.googleapis.com/v1/projects/coral-ring-XXXX/installations/XXXXXXX/authTokens:generate' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

*it's an error from localhost but I have the same error in production

Request URL: https://firebaseinstallations.googleapis.com/v1/projects/coral-ring-XXXX/installations/XXXXX/authTokens:generate
Request Method: OPTIONS
Status Code: 403
Remote Address: 172.217.1.10:443
Referrer Policy: no-referrer-when-downgrade

Mac OS / Chrome 78

firebase@7.6.0

Update 1: Just tried @7.6.1 - same problem (obviously)

Update 2: Tried on a new machine - works fine. (I still have 500 (Delete token call to FCM) when manually change notification settings to ask but it works
Is there a way to reset installation as seems like this is what causes the problem...

[bogacg]

In my app I've added Firebase (with angular/fire) but other than initialization and call for performance module it does nothing related to database or other services (no storage, auth...etc). Yet I'm getting same error. If I open browser in incognito mode works fine, or delete cache it works again but some time later get that error again. It's a PWA and testers already installed to their phones, which is a problem.

UPDATE:
I removed performance module, it's just Firebase initialization left. Still I am getting this error.

UPDATE 2
Is this related ? SO Answer

[aetbaev]

I have the same problem.
The problem disappears and returns.
Ubuntu 19.10/Chrome 77.0.3865.120

[phamquocbuu]

I confirm this issue. It did not happended about 7 days before. The problem occurs only some day ago.

Access to fetch at 'https://firebaseinstallations.googleapis.com/v1/projects/***/installations/***/authTokens:generate' from origin 'https://www.(my website domain)' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[chanlito]

Facing same issue if anyone found a workaround in the mean time please let all of us know.
I'm sure the firebase team already working on a fix for this.

BTW works on Firefox for me, not Chrome tho.

[ctavan]

@bogacg the Stack Overflow answer you have posted does not seem to be related: In the project where I see the error I use unrestricted API Keys, so this can't be the issue.

[ctavan]

@mmermerkaya I still see the same error with your minimal reproduction code (calling installations.getToken(true)). I can send you a link to the test page in a direct message if that would be helpful for you (still have to mention that the outcome depends on the contents of the IndexedDB of your local browser profile as reported in the original bug report).

[Christilut]

Same error here.

Happens on Firefox and Chrome 79. I'm on Windows 10.

Deleting the firebase-installations-database indexedDB fixes it until it comes back again for unknown reasons.

The indexedDB contained this before deleting it:

fid: "omitted"
registrationStatus: 2
refreshToken: "1:-i-omitted"
authToken:
  requestStatus: 0

[patrickmichalina]

Same here. @Christilut is right, deleting firebase-installations-database clears the error for awhile.

[phamquocbuu]

Same error here.

Happens on Firefox and Chrome 79. I'm on Windows 10.

Deleting the firebase-installations-database indexedDB fixes it until it comes back again for unknown reasons.

The indexedDB contained this before deleting it:

fid: "omitted"
registrationStatus: 2
refreshToken: "1:-i-omitted"
authToken:
  requestStatus: 0

I tried and this works. Need a fix from the source code for other clients.

[tohagan]

Experiencing the same issue:

Operating System version: Windows 10
Browser version: Chrome 79.0.3945.88
Firebase SDK version: firebase@7.6.0
Firebase Product: analytics

[dmitrydbelov]

same issue with FCM in react.js application
Crome 79.0.3945.88 - Windows 10 - works w/o any problems.
Firefox 71.0 and Opera 65.0.3467.78 - CORS error

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://firebaseinstallations.googleapis.com/v1/projects/.../authTokens:generate. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://firebaseinstallations.googleapis.com/v1/projects/.../authTokens:generate. (Reason: CORS request did not succeed).

[shadow1349]

I'm getting this problem on OSX with Chrome 79.0.3945.88 (Official Build) (64-bit). I am using Angular with firebase 7.6.1 and @angular/fire 5.2.3. Here is the error

Access to fetch at 'https://firebaseinstallations.googleapis.com/v1/projects/my-project/installations/SOME_TOKEN/authTokens:generate' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[springfirenator]

We have resolved it by using older versions of sdk

<script src="https://www.gstatic.com/firebasejs/7.5.2/firebase-app.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.5.2/firebase-messaging.js"></script>

[shadow1349]

@springfirenator is that the latest version that does not have that error and can we still use analytics, remote config, and performance?

[springfirenator]

@shadow1349 I guess you can use analytics of same version. And yes, the latest builds 7.6.0 and 7.6.1 produce these errors.

<script src="https://www.gstatic.com/firebasejs/7.5.2/firebase-analytics.js"></script>

[adarshmadrecha]

I was having exactly the same problem mentioned in the issue.
This SO Answer Helped me resolve it
https://stackoverflow.com/a/58496014/4050261

[bogacg]

@adarshmadrecha Not really the same thing, error we are seeing this time occurs even if app already has unrestricted access. SDK changes with version 7.6.0 and service changes which we can't know about are causing this.
When you look at Release Notes, it's only mentioned changes about FCM, but apps that are not using FCM are also affected.

This is a bad practice on Google's part making breaking changes without properly informing their ecosystem both external and internal (it seems SDK developers aren't sure what's going on with the servers and can't make proper changes to their code)

[GoktuqCan]

Thanks @springfirenator

We have resolved it by using older versions of sdk

<script src="https://www.gstatic.com/firebasejs/7.5.2/firebase-app.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.5.2/firebase-messaging.js"></script>

npm users also have to do an uninstall and fallback to previous version as follows:
npm uninstall firebase && npm i firebase@7.5.2
Do not just change version in package.json

[bogacg]

Despite falling back to v7.5.2 I'm still having issues 🤷‍♂️🤦‍♂️

Update: App seems to work fine on default given <project-id>.web.app domain.
Did remove custom domain and later will define it again. Let's see if it will fix errors under custom domain.

Update 2: I've waited 1 hour after deletion of custom domain, then re-added. On Windows 10 Chrome PWA did not present any error.

On Android errors kept coming and I had to clean browser cache. After that it worked as expected.

[dimileeh]

I'm hosting two websites with different domains in the same Firebase Hosting project.

Both websites worked just fine until I noticed that today one of them - WEBSITETWO - started to complain:

Access to fetch at 'https://firebaseinstallations.googleapis.com/v1/projects/WEBSITEONE/installations/TOKEN/authTokens:generate' from origin 'https://WEBSITETWO.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Both websites are built upon Gatsby.

Falling back to Firebase v7.5.2 for WEBSITTWO didn't help 👎

UPDATE:
Then, a few minutes later, I checked again, and that CORS error went away.
I've upgraded back to firebase@latest, which is ^7.6.1 at the time of writing, and it's all working now, no CORS errors.

So I think we're all good now :)

[phamquocbuu]

I'm hosting two websites with different domains in the same Firebase Hosting project.

Both websites worked just fine until I noticed that today one of them - WEBSITETWO - started to complain:

Access to fetch at 'https://firebaseinstallations.googleapis.com/v1/projects/WEBSITEONE/installations/TOKEN/authTokens:generate' from origin 'https://WEBSITETWO.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Both websites are built upon Gatsby.

Falling back to Firebase v7.5.2 for WEBSITTWO didn't help 👎

UPDATE:
Then, a few minutes later, I checked again, and that CORS error went away.
I've upgraded back to firebase@latest, which is ^7.6.1 at the time of writing, and it's all working now, no CORS errors.

So I think we're all good now :)

This not work for me...
I tried switching between restricted and unrestricted key, using new version of Firebase. Neither of them help.

[dimileeh]

I've also whitelisted my two domains, restricting the API keys to work only from those two domains. Maybe that helped?

Before that, my key was unrestricted regarding the clients.

My backend services are unrestricted.

[fffaria]

npm uninstall firebase && npm i firebase@7.5.2

I had to use the code above to fix the error. Google needs to be more careful with that kind of update. I shall wait for any further updates before using the latest Firebase version.

[mahmoud-mosaad]

I had the same issue with firebase ^7.6.0. I can send messages to saved tokened devices but after i run messaging.getToken() and get authentication error this devices only can't receive this notification.

Downgrade to version 7.5.2 solve my issue.

I hope firebase solve this issue.

[detinho]

Donwgrading to 7.5.2 solved my issue too. On my project I use only the authentication. It was working ok. I stoped working on my project for 5 days (more or less). It was working good, but then today I got this error.

[rejhgadellaa]

Downgrading to 7.5.2 worked for me, too.

I had trouble getting new messaging tokens. As far as I know, auth still worked. Refreshing the messaging token failed with the error mentioned in the OP and then kept calling the callback, causing high CPU usage + broke notifications.

[ctavan]

Downgrading to 7.5.2 did remove the error for me as well.

The only difference that I could spot in the OPTIONS request (that fails with 7.6.x) is the following:

7.5.2:

access-control-request-headers: authorization,content-type,x-goog-api-key

7.6.1:

access-control-request-headers: authorization,content-type,x-firebase-client,x-goog-api-key

@mmermerkaya does this make any sense?

[ctavan]

This could be the offending change: https://github.com/firebase/firebase-js-sdk/pull/2400/files#diff-ca22055c1f9e65be7e6caae4a4824412R42-R49

[Domiii]

Same problem here. It worked for a few days, but now I'm also encountering this issue.

I am also on 7.6.0. Would love to just downgrade back to 7.5.2 to fix it, but I actually only upgraded because on 7.5.2 I encountered this error.

Looking forward to a fix, because without it, I am unable to use FCM at all :/

[mmermerkaya]

Hey everyone, thanks for the investigation and sorry for the silence from our part. Things have been a little slow because of the holiday season. I've reported this to our backend team a few days ago and I'm currently waiting for them to investigate this.

[andirayo]

This error might have been introduced by #2400 which adds a new (not standard) request-header to the FIS SDK. Browsers may block these requests if the receiving server does not send the appropriate CORS header.
I will add the CORS headers to the Google Frontend service and hopefully this will fix the problem.

[yeukfei02]

Hi all,

I think I encounter the same problem

firebase version: 7.6.1

Request URL: https://firebaseinstallations.googleapis.com/v1/projects/xxxxx/installations/cWnZeU3P52mKtPtRYR36qA/authTokens:generate

'http://localhost:5000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

cors issue....

[Domiii]

I found that this issue only affects localhost. Tokens are generated fine when used on the registered domain.

[hsubox76]

Sorry to everyone who's been experiencing this issue. Our backend team has just checked in a change to allow these headers. I'll let you know when it's rolled out.

[andirayo]

The fix should be in production since ~ 1pm PT.
It would be great if you could confirm that the issue no longer exists.

[andirayo]

@GoktuqCan , @aetbaev , @cosmospham , @Christilut , @patrickmichalina , @Domiii :
I want to give some background on why deleting the firebase-installations-database temporarily fixes this issue:
The Firebase Installations Service (in the following called "FIS") is an infrastructure service for Firebase services that creates unique identifiers for Firebase clients (called "Firebase Installations") enabling Firebase Targeting, i.e. interoperation between Firebase services.
The initial request to FIS registers the client's identifier with Firebase and receives an initial FIS Auth-Token that is used by Firebase services for authentication purposes.
After 7 days, a FIS Auth-Token expires and the FIS library has to send another request to FIS in order to generate a new FIS Auth-Token. It is this request that was changed in #2400 and presumably causes the issue.
Deleting the firebase-installations-database database resets the FIS library and restarts this process, and thus temporarily fixes / clears the issue until 7 days later another request to #GenerateAuthToken is necessary.

The FIS library was working fine until #2400 introduced an additional header being sent to Firebase without enabling CORS headers on server-side for this new (not standard) request-header.
This change was never meant to be a breaking change, but suboptimal communication between our teams has lead to this issue. I'm very sorry for everyone that is affected and I surely hope that our server-side change will fix the problem for you!

[ctavan]

@andirayo I can confirm that I no longer observe the error. Thanks for the fix! 👍