firebase-functions icon indicating copy to clipboard operation
firebase-functions copied to clipboard

Published 20 hours ago verified publisher icon firebase

Feature Request: Allow configuring callable functions to use `checkRevoked` in its call to `verifyIdToken`

Open johangu opened this issue 2 years ago • 1 comments

Related issues

N/A

[REQUIRED] Version info

node: 16.17.1

firebase-functions: 3.24.0

firebase-tools: 11.10.0

firebase-admin: 11.0.1

[REQUIRED] Test case


module.exports = functions.https.onCall(async (data, context) =>  true)

[REQUIRED] Steps to reproduce

Revoke the users refresh token an call the above function

[REQUIRED] Expected behavior

I should have an option to make sure the function calls verifyIdToken with checkRevoked = true so a user with a revoked token is unable to call the functions. The only call I can find happens here and has no way of passing checkRevoked = true as it's defaulted to false: https://github.com/firebase/firebase-functions/blob/ffa3a574087e12e0fd866d504328b6a6e3d7f344/src/common/providers/https.ts#L591

[REQUIRED] Actual behavior

A user with a revoked token can call the function just fine as long as the expiry of the ID token hasn't passed.

Were you able to successfully deploy your functions?

N/A

johangu avatar Nov 09 '22 14:11 johangu