Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firestore - token doesn't update in the Firestore Rules #1499

Closed
sanks opened this issue Jul 6, 2018 · 3 comments · Fixed by #1692
Closed

Firestore - token doesn't update in the Firestore Rules #1499

sanks opened this issue Jul 6, 2018 · 3 comments · Fixed by #1692
Labels
api: firestore
Milestone
5.7.0

Comments

@sanks
Copy link

sanks commented Jul 6, 2018

  • Xcode version: 9.4.1
  • Firebase SDK version: 5.4.0
  • Firebase Component: Firestore
  • Component version: 0.12.5

The problem

After setup custom claims for a user through the Cloud Functions - the token (and custom claims together with it) weren't updated in Firestore Rules.

Even after calling getIDTokenForcingRefresh(true) the Rule doesn't allow to get a document. However, in the app, I see that the token was updated and contains my custom claim.

Only sign out and sign in again helps. But it's not good for the user...

The problem is exactly and only with Firestore Rules section. I checked the Storage Rules section with the similar rules - and the token/custom claims were updated here. Also, I checked the Cloud Functions context - the token/custom claims were updated here as well.

Steps to reproduce:

  1. Setup Firestore rules based on custom claims.
  2. Update user's custom claims through a Firebase Function
  3. Call getIDTokenForcingRefresh(true)
  4. Try to get a document that should be available only for the user with the certain custom claim.
  5. Unable to get the document because of lack of permissions

Relevant Code:

Firestore Rules:

service cloud.firestore {
    match /databases/{database}/documents {
        match /items/{itemId} {
            allow read: if request.auth.token.customField == true;
        }
    }
}

Cloud Function:

const myFunction = function (data, context) {
    return FirebaseAdmin.auth().setCustomUserClaims(uid, {
	customField: true
    });
}

Function call and token refresh

functions.httpsCallable("my-function").call() { (result, error) in
    if let error = error {
        debugPrint(error)
        return
    }
    Auth.auth().currentUser?.getIDTokenResult(forcingRefresh: true, completion: { (result, error) in
        debugPrint(result?.claims["customField"]) // equals to true here, but...
        db.document("items/1").getDocument { (document, error) in
            debugPrint(document.documentID) // nil
            debugPrint(document.exists) // false
            // but the document exists in the Firestore for sure 
            // and if disable firestore rule or sign-out and sign-in again it works
        }
    })
}
@sanks sanks changed the title Firestore - custom claims don't update in rules Jul 6, 2018
@morganchen12
Copy link
Contributor

@sanks instead of signing out and signing back in, are you able to work around this by reloading the user?
@sanks
Copy link
Author

sanks commented Jul 12, 2018
edited
Loading

@morganchen12 no, reloading user doesn't help as well.
@mikelehen
Copy link
Contributor

This is a known issue. Right now the Firestore SDK ignores token changes if the uid doesn't change. We likely need to rework the code here:

firebase-ios-sdk/Firestore/core/src/firebase/firestore/auth/firebase_credentials_provider_apple.mm

Line 61 in 49f2493

if (new_user != contents->current_user) {

Sorry for the inconvenience! For now, signing out / back-in is the only workaround.
mikelehen pushed a commit to firebase/firebase-js-sdk that referenced this issue Aug 14, 2018
firebase-ios-sdk/1499: Restart streams on any token change.
ae0527a 
See firebase/firebase-ios-sdk#1499

This reworks our UserListener into a CredentialChangeListener which
fires on any token change, even if the User did not change. This allows
us to restart our streams (but not switch mutation queues, etc.) on token
changes.
@mikelehen mikelehen mentioned this issue Aug 14, 2018
Merged
mikelehen pushed a commit that referenced this issue Aug 14, 2018
firebase-ios-sdk/1499: Restart streams on any token change.
7819133 
[Port of firebase/firebase-js-sdk#1120]

Fixes #1499.

This reworks our "user listener" into a "credential change listener" that
fires on any token change, even if the User did not change. This allows
us to restart our streams (but not switch mutation queues, etc.) on token
changes.
@mikelehen mikelehen mentioned this issue Aug 14, 2018
Merged
@paulb777 paulb777 added this to the M32 milestone Aug 14, 2018
mikelehen added a commit that referenced this issue Aug 15, 2018
@mikelehen
firebase-ios-sdk/1499: Restart streams on any token change. (#1692)
186591d 
[Port of firebase/firebase-js-sdk#1120]

Fixes #1499.

This reworks our "user listener" into a "credential change listener" that
fires on any token change, even if the User did not change. This allows
us to restart our streams (but not switch mutation queues, etc.) on token
changes.
mikelehen added a commit to firebase/firebase-js-sdk that referenced this issue Aug 15, 2018
@mikelehen
firebase-ios-sdk/1499: Restart streams on any token change. (#1120)
4ec654d 
* firebase-ios-sdk/1499: Restart streams on any token change.

See firebase/firebase-ios-sdk#1499

This reworks our UserListener into a CredentialChangeListener which
fires on any token change, even if the User did not change. This allows
us to restart our streams (but not switch mutation queues, etc.) on token
changes.
@firebase firebase locked and limited conversation to collaborators Oct 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
api: firestore
4 participants
@paulb777 @mikelehen @morganchen12 @sanks