firebase-tools
firebase-tools copied to clipboard
firebase
Firebase requires reauth for Google Workspace Accounts
[REQUIRED] Environment info
firebase-tools: v13.5.2
Platform: Ubuntu 23.10
[REQUIRED] Test case
Login to firebase tools with workspace account, wait for oauth refresh token to expire (seems like it only takes an hour), and try to use any firebase-tools command.
[REQUIRED] Steps to reproduce
Sign in to firebase-tools with a google workspace account.
Use firebase-tools as normal.
Wait a couple hours, firebase-tools breaks:
FirebaseCommandException: An error occured on the Firebase CLI when attempting to run a command.
From the log:
[debug] [2024-03-21T09:54:19.248Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[debug] [2024-03-21T09:54:19.248Z] > authorizing via signed-in user (admin@<my_domain>)
[debug] [2024-03-21T09:54:19.251Z] > refreshing access token with scopes: []
[debug] [2024-03-21T09:54:19.251Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[debug] [2024-03-21T09:54:19.252Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[debug] [2024-03-21T09:54:19.706Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[debug] [2024-03-21T09:54:19.706Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[debug] [2024-03-21T09:54:19.706Z] Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth
For CI servers and headless environments, generate a new token with firebase login:ci
[debug] [2024-03-21T09:54:20.110Z] FirebaseError: Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth
Running firebase login yields:
Already logged in as admin@<my_domain>
[REQUIRED] Expected behavior
Since this issue is not present with my personal account, I assume there are some settings set by Google Admin Console. I have checked the Google Cloud session control and the App Access Control and there is no way to mark firebase cli as a trusted application, or extend the validation time for the oath token.
I expect to be able to login once, and have a valid refresh token for at least the same length of time as my other google services, but would ideally not have to log in again since I do not have to with my personal account.
[REQUIRED] Actual behavior
In order to get firebase-tools working again, I have to run firebase-login --reauth which although, on the surface doesn't seem like a big deal, but it gets annoying to do every single day, and sometimes even after a short lunch break too.
11:56:48 ❯ firebase projects:list --debug
[2024-03-21T10:01:51.933Z] Field ".functions" in "firebase.json" is possibly invalid: should be object
[2024-03-21T10:01:51.934Z] Field ".functions[0].runtime" in "firebase.json" is possibly invalid: should be equal to one of the allowed values
[2024-03-21T10:01:51.934Z] Field ".functions" in "firebase.json" is possibly invalid: should match some schema in anyOf
[2024-03-21T10:01:51.935Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2024-03-21T10:01:51.935Z] > authorizing via signed-in user (admin@<my_domain>)
⠋ Preparing the list of your Firebase projects[2024-03-21T10:01:51.937Z] > refreshing access token with scopes: []
[2024-03-21T10:01:51.938Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[2024-03-21T10:01:51.938Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
⠧ Preparing the list of your Firebase projects[2024-03-21T10:01:52.516Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[2024-03-21T10:01:52.516Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[2024-03-21T10:01:52.516Z] Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth
For CI servers and headless environments, generate a new token with firebase login:ci
✖ Preparing the list of your Firebase projects
[2024-03-21T10:01:52.920Z] FirebaseError: Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth
For CI servers and headless environments, generate a new token with firebase login:ci
at invalidCredentialError (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/auth.js:142:12)
at refreshTokens (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/auth.js:515:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.getAccessToken (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:161:22)
at async Client.addAuthHeader (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:152:21)
at async Client.request (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:105:34)
at async getProjectPage (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:238:17)
at async getFirebaseProjectPage (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:255:23)
at async listFirebaseProjects (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:286:29)
at async Command.actionFn (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/commands/projects-list.js:51:20)
Error: Failed to list Firebase projects. See firebase-debug.log for more info.
Also note, the log says that there is an issue with the runtime property in the functions object of firebase.json.
I know that this property is in the docs, and it is the only way to get firebase functions with python to run locally in emulators since I do not have python 3.12 installed on my system, I have to specify runtime of python311. Thats another issue entirely though.
