这是indexloc提供的服务,不要输入任何密码
Skip to content

Firestore query uses stale token after forced refresh #4175

New issue
New issue
Closed
#4189
Closed
Firestore query uses stale token after forced refresh#4175
#4189
Labels
api: authapi: firestoreneeds-attention
@jadengis

Description

@jadengis
jadengis
opened on Dec 6, 2020

[REQUIRED] Describe your environment

  • Operating System version: Ubuntu 20.04
  • Browser version: Chrome, Firefox both latest
  • Firebase SDK version: 8.1.1
  • Firebase Product: auth, firestore

[REQUIRED] Describe the problem

Steps to reproduce:

In v8.0.0, I am able to perform the following sequence of operations successfully

  • Add a custom claim to a user's token in the backend using admin sdk
  • Force refresh token on the client side using user.getIdTokenResult(true)
  • Immediately perform a query that requires that custom claim in the security rules

In v8.1.1, the above sequence fails when trying to make the query that requires the new claim. I logged the result of user.getIdTokenResult(true) to the console and confirmed that it did in fact has the new claim, which lead me to believe that the firestore sdk is using a stale token. Also after I refresh the page, the query starts working.

Relevant Code:

I'm not sure how to create a complete reproduction, as this sequence involves the admin sdk in the backend to create the custom claim, but I will include some code snippets.

I have a firestore rule that looks like this:

match /listings/{listingId} {
      // store_id is a custom claim added to the users token
      allow read: if return resource.data.state == "available" || resource.data.store.id == request.auth.token.store_id;
}

In the backend I am running the follow code in an http request to create a custom claim on my user:

import admin from "firebase-admin";

...

admin.auth().setCustomUserClaims(userId, {store_id: storeId});

In the front end I have code that does the following in response to the above request.

import firebase from "firebase/app";

...

addStoreIdToUserToken(storeId)
    .then(() => firebase.auth().currentUser)
    .then(user => user.getIdTokenResult(true))
    .then(token => console.log(token.claims)); // The log here shows that the new token has the new claim

After the above chain of promises I make a query like this:

import firebase from "firebase/app";

// storeId is the same as the above code snippet
firebase.firestore().collection("listings").where("store.id", "==", storeId).get();

In version 8.0.0, the above code works, but in 8.1.1 is get a rules violation for the rule snippet above. This leads me to believe firestore is using a stale token without the new claim, even though I forced a refresh.

Thanks for looking into these, please let me know if you require any additional information.

Metadata

Metadata

Assignees

No one assigned

    Labels

    api: authapi: firestoreneeds-attention

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions