Discrepancy in Admin SDK's updateUser and client JS SDK's updateProfile functions

[choxnox]

[REQUIRED] Step 2: Describe your environment

• Operating System version: MacOS 12.4
• Firebase SDK version: [email protected]
• Firebase Product: Auth
• Node.js version: 16.17.1
• NPM version: 8.15.0

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

There seem to be a discrepancy between how Admin SDK's updateUser works versus client JS SDK's updateProfile - more specifically how the photoURL field is being validated.

For example, using the client-side Firebase JS SDK we can update the photoURL to be a relative path which we later on assemble in order to render the actual profile photo.

This works just fine:

import firebase from 'firebase/app';

await firebase.auth().currentUser?.updateProfile({
    photoURL: 'users/abc_123.jpg'
});

However, when updating the photo URL using Admin SDK (from the Firebase function), there seem to be additional validation step which requires the photoURL to be a valid URL starting with http or https.

So, this doesn't work because error FirebaseAuthError: The photoURL field must be a valid URL. is being thrown:

const admin = require('firebase-admin');

admin.auth().updateUser('...', {
    photoURL: 'users/abc_123.jpg'
});

In my opinion there shouldn't be URL validation because Firebase Auth itself doesn't impose validation and plus it breaks our efforts to reuse the logic in both backend and frontend because if we try to update the profile photo from the backend, it breaks the way how we handle image rendering as we can't hard-code the whole URL since it changes based on some internal logic.