Insufficient permissions error after the user is inactive for some time

[LanderBeeuwsaert]

Operating System

Mine: Windows 11; but happens on Macs as well

Browser Version

Mine: Chrome ; but happens on all kinds of browsers of users

Firebase SDK Version

9.22.2 ; angularFire 7.6.1

Firebase SDK Product:

Analytics, AppCheck, Auth, Database, Firestore, Functions, Messaging, Performance, Storage

Describe your project's tooling

Angular + AngularFire + rxjs + Angular-cli

Describe the problem

This code shows how the user document that is stored in firestore is updated:

in authenticationService there is a line of code: this.authentication$ = authState(this.auth); that uses angularFire authState

the underlying function using angularFire docData

for a user (the same happens for many of our users) the logging looks like this: so the user has the browser window open without actually using the application.

Because of the annoying "feature" of firestore to trigger connected documents every 30 minutes (and probably costing us a pretty penny) (also, see that it's not cleanly triggering every 30 minutes, it's very haphazardly), it's logged that the user document changed (but when we compare in the logging the 2 documents, it's clear the document didn't actually change).

And then, after an undeterminate amount of time, without a clear reason, suddenly together with such a new trigger firebase-js-sdk says there is a permissions error.

However logging makes clear there was actually no logout.

Steps and code to reproduce issue

See the code above. Reproduce: leave an amount of computers open for days and wake them up intermittently.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[LanderBeeuwsaert]

We have similar issues for other queries: FirebaseError: Missing or insufficient permissions: ["sheets"]=>[{"field":{"segments":["owner_email"],"offset":0,"len":1},"op":"==","value":{"stringValue":"******************"}},{"field":{"segments":["valid_until"],"offset":0,"len":1},"op":">","value":{"timestampValue":"2023-05-30T07:56:56.941000000Z"}}] (this is a query where we add in the logging the query parameters). In the screenshot while the error happens we can see that there seems to be a disconnect from the network at that time: We show this "connection lost" toast message on the realtime database triggering a disconnect:

[tom-andersen]

Thanks for the information. This will take a little longer to investigate.

[LanderBeeuwsaert]

@tom-andersen understandable, glad that it's getting attention. If we can help let us know. We can't reproduce consistently ourselves however but we could add something in the exception handler to gather more information if that would be useful.

[LanderBeeuwsaert]

One more indication it has something to do with loss of connection: over a course of 40 seconds it keeps happening for this user on multiple subscribes while for that same user this is logged at the same time: so the network connection seemed to be lost, 40 seconds later multiple subscriptions were being blocked with permissions denied, and then some time later the connection restored (and logging was written away)

[LanderBeeuwsaert]

Hi @tom-andersen , we still have +-20 instances of this issue every day. (on +- 500.000 reads/day) I'm 99% sure that this is something that all users using firestore have. Will it be possible to look into this somewhere in the coming ...? Just so to set expectations on if we'll have to learn to live with this or not?

[AmilKey]

I get this error in my App "FirebaseError: Missing or insufficient permissions." after two hours of using the app. It seems that the token is not updated automatically. The error is fixed after refreshing the page or forcibly requesting a new token. firebase: ^10.13.1

[AmilKey]

@tom-andersen is there any solution to this problem, a lot of time has passed but the problem is not solved even in the latest version?

[LanderBeeuwsaert]

@tom-andersen fyi, we still are experiencing this issue daily. A bit less of occurrences than my comment a year ago. Now on average of 500.000 reads per day, +- 7 occurrences.

[AmilKey]

@tom-andersen fyi, we still are experiencing this issue daily. A bit less of occurrences than my comment a year ago. Now on average of 500.000 reads per day, +- 7 occurrences.

how did you solve this problem?

[LanderBeeuwsaert]

@AmilKey we didn't solve it. we're living with it :-p

[AmilKey]

@LanderBeeuwsaert do you logout user every hour?

[LanderBeeuwsaert]

we show a dialog to the user, asking them to refresh. That solves it for us

[nskoro]

This issue is affecting us daily. Please provide an update.

[AmilKey]

@tom-andersen any updates on this issue?

no effect from this config

const firestore = initializeFirestore(app, {
  experimentalAutoDetectLongPolling: false,
})

firebase: 10.13.2
"firebase-admin": "^12.5.0",
"firebase-functions": "^6.0.1",

I also noticed that this can happen if the internet connection was lost

also I think this issue related https://github.com/firebase/firebase-js-sdk/issues/6708

[LanderBeeuwsaert]

Hi @DellaBitta , our users continue to experience this daily, our userbase is continuing to grow, and this issue is growing linearly with it. It also seems other clients of firestore are experiencing the same issue. I dare to bet actually all firestore js sdk users experience this issue on an intermittent basis.

If for some reason this issue has not been deemed important enough to look into, would it be possible to provide us with a rationale behind that decision?

[wu-hui]

Apologies for the long silence.

For people who are experiencing this, can you provide below information:

• Are you using AppCheck?
• Can you reproduce this error yourself? If so, can you share a minimum reproduction app?
• If this only happens with real users, and you cannot reproduce it. Is it possible to turn on debug log and share the log with us?

[LanderBeeuwsaert]

@wu-hui Thank you for waking this thread up. I can assure you that probably a lot of your users have this. We have been living with this issue for years. It's nice to see this is getting attention.

Are you using AppCheck? => yes we do. If you want we would be able to unenforce app-check on Firestore for some time and see if it makes a difference

Can you reproduce this error yourself? If so, can you share a minimum reproduction app? => no not really. But it happens +- 1 time per day/per 2 days now. (usage of the application is lower in the summer). => We have improved on our logging (logging the browser tab where it happens) and it's most of the time indeed when a browser tab that was authenticated into some days ago is activitated again some days later.

If this only happens with real users, and you cannot reproduce it. Is it possible to turn on debug log and share the log with us? => hmmm, not really. That would mean turning on debug logging for all our users. => I would propose 2 possible routes forward that would also be useful for debugging other issues:

1. Would it be possible to have a new firestore configuration that enables a sort of in-memory debug logging and keeps the last 100 debug log lines in a memory object that can be accessed? We can then add code that once the error happens, we read that object and save it to our debug database.
2. Add a config that lets us enable a setting which adds identifiers to the "Missing permissions" error. So that it says on which rule line it fails against. Same/similar to when you have a missing permissions error against the emulator.