firebase-functions icon indicating copy to clipboard operation
firebase-functions copied to clipboard

Published 20 hours ago verified publisher icon firebase

Don't verify auth token on public endpoints

Open AlexJetplan opened this issue 1 year ago • 12 comments

[REQUIRED] Version info

node:

v18.19.0

firebase-functions: 4.9.0

firebase-tools:

13.5.2

firebase-admin: 12.0.0

[REQUIRED] Test case

  • Create a public endpoint
    • Any type of endpoint will do, it can literally just return hello world
    • It needs to be public
export const heartbeat = onCall(() => {
	const data  = {
		isConnected: true,
		timestamp: new Date().getTime(),
	}

         return data
})

[REQUIRED] Steps to reproduce

  • Send a request to that endpoint with a valid auth token in the Auhtorization header
    • It should work
  • Send a request to that endpoint without any token at all and no header
    • It should work
  • Send a request to that endpoint with an invalid auth token in the Authroization header
    • It will reject the request

[REQUIRED] Expected behavior

Since it's a public endpoint it should always return a response, no matter if the token is provided, valid, or invalid. I have had cases in the past where the js SDK would cause the token to become invalid and users couldn't access public endpoints anymore, one of which was a heartbeat endpoint to make sure the user is still connected.

[REQUIRED] Actual behavior

The request is rejected when you provide an auth header with an invalid token.

Were you able to successfully deploy your functions?

Yes

AlexJetplan avatar Apr 30 '24 06:04 AlexJetplan

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

google-oss-bot avatar Apr 30 '24 06:04 google-oss-bot

Hey @AlexJetplan you need to set the invoker to public to allow the function to serve public requests. You can put it directly in the options object where you specify cors (or alternatively in the global options for all funcitons):

export const heartbeat = onRequest({ cors: true, invoker: "public" }, (request, response) => {
	const data  = {
		isConnected: true,
		timestamp: new Date().getTime(),
	}
	response.json({ data })
})

Thanks

colerogers avatar May 02 '24 15:05 colerogers

Hey @AlexJetplan you need to set the invoker to public to allow the function to serve public requests. You can put it directly in the options object where you specify cors (or alternatively in the global options for all funcitons):

export const heartbeat = onRequest({ cors: true, invoker: "public" }, (request, response) => {
	const data  = {
		isConnected: true,
		timestamp: new Date().getTime(),
	}
	response.json({ data })
})

Thanks

Hey, my apologies, I posted the wrong sample code, the issue was in regards to onCall. In fact if you use onRequest as described in my post it actually works, it only doesn't work when you use onCall.

The issue also isn't that it isn't publicly available, the issue is that it is accessible by anybody but at the same time if you provide an invalid token it will reject the request.

I have updated the issue with the code that won't work, my apologies!

AlexJetplan avatar May 06 '24 06:05 AlexJetplan

Hey @AlexJetplan. How are you invoking this function? Via an HTTPS request?

exaby73 avatar May 17 '24 06:05 exaby73

Hey @AlexJetplan. How are you invoking this function? Via an HTTPS request?

Hey!

In our app we are invoking it using the firebase sdk, but for you to reproduce the issue more easily you can just use a regular https client like postman or curl or whatever you want, anything will work. The important bit is that you have to send a request that has the Authorization header with an invalid token.

AlexJetplan avatar May 21 '24 06:05 AlexJetplan

Is there a use case where you need to send an invalid token to a public endpoint? I feel like this can be solved by omitting the token from the client if I am not wrong

exaby73 avatar Jul 15 '24 08:07 exaby73

Is there a use case where you need to send an invalid token to a public endpoint? I feel like this can be solved by omitting the token from the client if I am not wrong

If you are using the firebase sdk you don't have control over the header being emitted or not. You simply just do:

functions.httpsCallable('functionName')()

AlexJetplan avatar Jul 15 '24 08:07 AlexJetplan

Just to understand your case better, is the SDK sending an invalid auth header?

exaby73 avatar Jul 23 '24 06:07 exaby73

Just to understand your case better, is the SDK sending an invalid auth header?

Yes the sdk is sending an invalid auth header.

They are invalid in the sense that the auth token probably expired. So it's not the formatting that's invalid, it's the token itself.

AlexJetplan avatar Jul 23 '24 07:07 AlexJetplan

Hey @AlexJetplan. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot avatar Aug 01 '24 01:08 google-oss-bot

bump

AlexJetplan avatar Aug 01 '24 06:08 AlexJetplan