firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

Login access token for sign in functionality missing

Open seaders opened this issue 8 months ago • 1 comments

Operating System

Windows 11, macOS 15.4

Environment (if applicable)

Chrome 135, Node 22.14.0

Firebase SDK Version

11.1.0

Firebase SDK Product(s)

Auth

Project Tooling

React Chrome extension with Plasmo

Detailed Problem Description

In Chrome extensions, you can have many contexts which don't share user login functionality. For "true" sign in, this can be circumvented by controlling the login flow, like

// shared storage between all clients
const authStorage = new Storage()

const USER_TOKEN_KEY = "user_token"

authStorage.watch({
  [USER_TOKEN_KEY]: ({ newValue, oldValue }) => {
    if (newValue !== oldValue) {
      const credential = GoogleAuthProvider.credential(null, newValue as string)
      void signInWithCredential(auth, credential)
    }
  }
})

function signIn() {
  const responseUrl = await chrome.identity.launchWebAuthFlow({
    url: getAuthUrl(),
    interactive: true
  })

  const url = new URL(responseUrl)
  const token = extractAccessToken(url.hash)

  void authStorage.set(USER_TOKEN_KEY, token)
}

This is cumbersome, but, it works for Google sign ins, which is all we've used until now. The token that's synced between contexts, through chrome's shared storage, allows all clients to start a login, and if successful, pushes it to the rest.

The problem now is, we want to add functionality to sign users in as anonymous with signInAnonymously, and while that runs successfully in the context it's started, the accessToken, or idToken returned in the UserCredential response cannot be used to login elsewhere.

Any effort by other contexts to sign in like above results in errors of

FirebaseError: Firebase: Unsuccessful check authorization response from Google: {
  "error_description": "Invalid Value"
}
 (auth/invalid-credential).
    at _errorWithCustomMessage (assert.ts:101:14)
    at _performFetchWithErrorHandling (index.ts:223:21)
    at async _performSignInRequest (index.ts:251:7)
    at async _signInWithCredential (credential.ts:49:9)

I thought about writing this about just signInAnonymously but, realistically, that's just a new issue we're facing here. To properly be able to solve this, I consider this a bug affecting all the sign in methods.

This issue is specifically a bug for the chrome environment, but could hit other environments too.

Steps and code to reproduce issue

Login in the popup context of a chrome extension and try to login with that same user in the injected content context, there isn't any way to do with the api. (and no way to do it at all with login as anonymous)

seaders avatar Apr 08 '25 17:04 seaders

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Apr 08 '25 17:04 google-oss-bot