Firebase-js-sdk: Missing permission for Firestore with Firebase 8.0.1

Created on 8 Nov 2020  Â·  11Comments  Â·  Source: firebase/firebase-js-sdk

Describe your environment

  • Operating System version: macOS 10.15.7
  • Browser version: Chrome 86.0
  • Firebase SDK version: 8.0.1
  • Firebase Product: Authentication + Firestore

Describe the problem

I just upgraded Firebase from v7.21.0 to v8.0.1 and spotted a bug on Firestore. When creating a user, I’m creating a custom claim for the user. In my Firestore Rules, I’m using the custom claim to enable access. The first time I’m querying Firestore, I receive a Missing permission. After reloading the page, the exact same code loads without issue. The issue is not there on 7.21.0.

Steps to reproduce:

Set a custom claim right after creating user with email and password, and then try loading a document from Firestore with the custom claim as condition.

Relevant Code:

Those are extracts from my configurations with names changed.

match /example/{eid} {
  allow read: if
    eid in request.auth.token &&
    request.auth.token[eid] != null;
  allow update: if false;
  allow write: if false;
}

// backend part
const user = await admin.auth().getUser(id)
const customClaims = user.customClaims || {}
await admin.auth().setCustomUserClaims(id, {
  [example.id]: 'member',
  ...customClaims,
})

// frontend part
const query = async () => {
  try {
    await user.getIdTokenResult(true)
    return await firestore.collection('example').doc(example.id).get()
  } catch (error) {
    return query()
  }
}
query()  // This raise an issue. Then after reload it works.
auth firestore closed-by-bot needs-info no-recent-activity
Source
picture ghivert
👍4

All 11 comments

I wanted to confirm the bug while enjoying the new emulators, so I tried different version: the bug is present on v8.0.1 but not on v8.0.0.

The exact error message:

FirebaseError: Missing or insufficient permissions.
    at new Nr (http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:45522)
    at http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:169449
    at cf.onMessage (http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:170279)
    at http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:168331
    at http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:168736
    at http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:113756

I’m using the emulator to get the Firebase SDK, so my index.html is as follows:

<html>
  <!-- Things here… -->
  <body>
    <!-- Other things here… -->
    <script src="/__/firebase/8.0.1/firebase-app.js"></script>
    <script src="/__/firebase/8.0.1/firebase-auth.js"></script>
    <script src="/__/firebase/8.0.1/firebase-firestore.js"></script>
    <script src="/__/firebase/8.0.1/firebase-storage.js"></script>
    <script src="/__/firebase/8.0.1/firebase-functions.js"></script>
    <!-- <script src="/__/firebase/8.0.1/firebase-analytics.js"></script> -->
    <script src="/__/firebase/8.0.1/firebase-performance.js"></script>
    <script src="/__/firebase/init.js"></script>
  </body>
</html>
ghivert picture ghivert on 9 Nov 2020
👍1

Hi, thanks for filing this.

Are you seeing this bug only when interacting with the emulators, or is it happening in production as well?

samhorlbeck picture samhorlbeck on 9 Nov 2020

Hi,

It’s happening with the emulators and with a production release when switching from v8.0.0 to v8.0.1

ghivert picture ghivert on 10 Nov 2020
👍1

Okay, thanks. Another question (trying to determine if this is on the Auth side or the Firestore side): if you inspect the results of await user.getIdTokenResult(true), do you see your custom claims in the claims field?

samhorlbeck picture samhorlbeck on 12 Nov 2020

Yes, the await user.getIdTokenResult(true) shows properly my [example.id]: 'member' claim, so the backend is running smoothly. Do you need a small reproducible bug (I can try to do it, but not now), or is it enough for you?

ghivert picture ghivert on 13 Nov 2020

@ghivert I tried reproducing this at v8.0.1, but it seemed to work for me. How are you splitting the backend and frontend functionality in your code? Could you please provide a small repro?

thebrianchen picture thebrianchen on 18 Nov 2020


Hey @ghivert. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot picture google-oss-bot on 25 Nov 2020


Since there haven't been any recent updates here, I am going to close this issue.

@ghivert if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

google-oss-bot picture google-oss-bot on 1 Dec 2020

Exact same problem unfortunately. After creating a user and setting via Cloud Functions a custom claim, the first update fails even after the firebase.auth().currentUser.getIdToken(true) (I also checked that the claims are present on the client). Instead, if I wait some seconds before calling the update, the problem is not present.
I'm using the firestore and functions emulator but not the auth one. Hope this helps, thanks!

molimauro picture molimauro on 1 Dec 2020
👍1

I can try to provide a small reproducible example, but not before next week. :(

ghivert picture ghivert on 1 Dec 2020

Same as #4175? :)

molimauro picture molimauro on 10 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

damonmaria picture damonmaria  Â·  4Comments
hvonralvert picture hvonralvert  Â·  3Comments
ptrwtts picture ptrwtts  Â·  4Comments
henrylearn2rock picture henrylearn2rock  Â·  4Comments
mohshraim picture mohshraim  Â·  3Comments