firebase-admin-node
firebase-admin-node copied to clipboard
firebase
fix: Make ADC + human account work with firebase-admin
This PR is intended to fix a current bug in firebase-admin.
Google Cloud recommends utilizing [Application Default Credentials (ADC)] (https://cloud.google.com/docs/authentication/application-default-credentials), however this feature does not fully work with the firebase-admin-node library when you want to utilize a human account ([email protected]) instead of a service account.
Some GCP APIs require you to specify the quota project associated to the request, however, the current implementation of the firebase-admin-node library does not provide the project ID when making requests to GCP APIs, even if you set them through gcloud auth application-default set-quota-project YOUR_PROJECT, because the code that handles the requests never adds the project ID to the request. And you get errors like this:
Your application is authenticating by using local Application Default Credentials. The identitytoolkit.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
Therefore, this pull request aims to fix this issue by checking if a projectId was provided when calling the initializeApp() function and adds it to the x-goog-user-project header of requests made to GCP APIs, just like the documentation states it should be set.
This implementation is similar to how the (working) google-auth-library library handles ADC authentication (src/auth/authclient.ts:270):
/**
* Append additional headers, e.g., x-goog-user-project, shared across the
* classes inheriting AuthClient. This method should be used by any method
* that overrides getRequestMetadataAsync(), which is a shared helper for
* setting request information in both gRPC and HTTP API calls.
*
* @param headers object to append additional headers to.
*/
addSharedMetadataHeaders(headers) {
// quota_project_id, stored in application_default_credentials.json, is set in
// the x-goog-user-project header, to indicate an alternate account for
// billing and quota:
if (!headers['x-goog-user-project'] && // don't override a value the user sets.
this.quotaProjectId) {
headers['x-goog-user-project'] = this.quotaProjectId;
}
return headers;
}
This should also solve some problems described in #1377
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
View this failed invocation of the CLA check for more information.
For the most up to date status, view the checks section at the bottom of the pull request.
![google-cla[bot] avatar](https://avatars.githubusercontent.com/in/42202?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @foxrafa could you please take a look at the lint errors in the failing CIs? Thanks!
Oh, all of the test cases are not expecting the x-goog-user-project header. Can I change them @lahirumaramba ?
@lahirumaramba fixed it.
Thanks! We also need to update the unit tests :)
@lahirumaramba fixed it.
Thanks! We also need to update the unit tests :)
I updated them now.
Thanks for the updating the tests! This issue will also be addressed in the credentials migration work https://github.com/firebase/firebase-admin-node/pull/2466 (which I think is the proper way to address this issue). For now, I am okay with us merging this PR as a stopgap
Thanks @foxrafa ! this change is now included in the v12.2.0 release!
