firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

[FCM] `updateToken` always blocked by CORS

Open k-1ee opened this issue 1 year ago • 3 comments

Operating System

MacOS Sonoma 14.4.1

Browser Version

Chrome/124.0.6367.92

Firebase SDK Version

10.8.0

Firebase SDK Product:

Messaging

Describe your project's tooling

Next.js app

Describe the problem

When getToken is called with an expired FCM token, the SDK attempts to update the token by making a call to updateToken, which sends a PATCH request to the Firebase backend. However, this update sequence always fails due to the following CORS error:

Access to fetch at 'https://fcmregistrations.googleapis.com/v1/projects/{projectId}/registrations/{token}' from origin '...' has been blocked by CORS policy: Method PATCH is not allowed by Access-Control-Allow-Methods in preflight response.

Is the PATCH method missing from the allowed methods list of this endpoint?

Since the token expiry is set to one week, this issue is not easy to reproduce. However, a subsequent call to getToken (refreshing the page in our case) seems to work fine.

Steps and code to reproduce issue

  • Initialize Firebase & call getToken
  • After the token has expired (set to one week by SDK), call getToken
  • See that getToken fails at PATCH request due to CORS

k-1ee avatar May 06 '24 17:05 k-1ee

Checked server stats, fm server has been serving patch to the update_token endpoint without outages. Unsure why the error. If it's non-recurring, feel free to close.

zwu52 avatar May 07 '24 21:05 zwu52

@zwu52 - Thanks for checking! But this has been a recurring issue for the past couple weeks.

Just to make sure, does the following endpoint allow PATCH under Access-Control-Allow-Methods?

https://fcmregistrations.googleapis.com/v1/projects/{projectId}/registrations/{token}

k-1ee avatar May 07 '24 21:05 k-1ee

Still facing this issue

k-1ee avatar Jun 18 '24 17:06 k-1ee

Checked server stats, fm server has been serving patch to the update_token endpoint without outages. Unsure why the error. If it's non-recurring, feel free to close.

@zwu52 I believe there wouldn't be outages since the request was blocked by CORS in the first place.

This screenshot shows that the preflight response does not include PATCH:

Screenshot 2024-07-08 at 10 24 12 AM

k-1ee avatar Jul 08 '24 17:07 k-1ee

hmm. Server is configured to accept PATCH.

also when I make preflight request

curl -X PATCH 'curl -X OPTIONS 'https://fcmregistrations.googleapis.com/v1/projects/{project_id}/registrations/{registration_id}' \
     -H 'Origin: {my_origin}' \
     -H 'Access-Control-Request-Method: PATCH' \
     -H 'Access-Control-Request-Headers: X-Custom-Header' \
     -i

I get

HTTP/2 200 
access-control-allow-origin: {my_origin}
vary: origin
vary: referer
vary: x-origin
access-control-allow-methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT

what happens if you run the curl. can you try figure out what is the registered origin for the uri.

zwu52 avatar Jul 09 '24 16:07 zwu52

Hey @k-1ee. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot avatar Jul 16 '24 01:07 google-oss-bot

Since there haven't been any recent updates here, I am going to close this issue.

@k-1ee if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

google-oss-bot avatar Jul 23 '24 01:07 google-oss-bot