From 9392f4113fb3bfb808cc7d82469382b3f7e17f14 Mon Sep 17 00:00:00 2001
From: Jofferson Ramirez Tiquez <jofftiquez@gmail.com>
Date: Fri, 11 May 2018 14:56:47 +0800
Subject: [PATCH] Updated catch for req.cookie

The previous code will fail if no Authorization was set in the header.
---
 authorized-https-endpoint/functions/index.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/authorized-https-endpoint/functions/index.js b/authorized-https-endpoint/functions/index.js
index e2d0cbaebf..375f9dd6bf 100644
--- a/authorized-https-endpoint/functions/index.js
+++ b/authorized-https-endpoint/functions/index.js
@@ -31,7 +31,7 @@ const validateFirebaseIdToken = (req, res, next) => {
   console.log('Check if request is authorized with Firebase ID token');
 
   if ((!req.headers.authorization || !req.headers.authorization.startsWith('Bearer ')) &&
-      !req.cookies.__session) {
+      !(req.cookies && req.cookies.__session)) {
     console.error('No Firebase ID token was passed as a Bearer token in the Authorization header.',
         'Make sure you authorize your request by providing the following HTTP header:',
         'Authorization: Bearer <Firebase ID Token>',
@@ -45,10 +45,14 @@ const validateFirebaseIdToken = (req, res, next) => {
     console.log('Found "Authorization" header');
     // Read the ID Token from the Authorization header.
     idToken = req.headers.authorization.split('Bearer ')[1];
-  } else {
+  } else if(req.cookies) {
     console.log('Found "__session" cookie');
     // Read the ID Token from cookie.
     idToken = req.cookies.__session;
+  } else {
+    // No cookie
+    res.status(403).send('Unauthorized');
+    return;
   }
   admin.auth().verifyIdToken(idToken).then(decodedIdToken => {
     console.log('ID Token correctly decoded', decodedIdToken);