0

I'm currently using Firebase Functions v1.0.3 and Firebase Admin v5.12.1. It seems to be working fine with the express NodeJS library.

Issue

However, when I tried to secure the request by sending an Authorization header:

Authorization: Bearer <token>

It did not show any logs of my tokens. I couldn't see any words that matches Bearer or Authorization Bearer (whatsoever) when I used console.log(request) inside my Firebase Functions index.js file to get the token.

All I get was the following from req.headers when I use console.log:

{ 'content-length': '0',
  'accept-language': 'en-US,en;q=0.9',
  'accept-encoding': 'gzip, deflate, br',
  referer: 'http://localhost:5000/admin/',
  accept: '*/*',
  'access-control-request-headers': 'authorization,content-type',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36',
  origin: 'http://localhost:5000',
  'access-control-request-method': 'GET',
  connection: 'close',
  host: 'localhost:5001' 
}

Documentation Sources

I've read a documentation about Firebase Functions Samples: Authorized HTTPS Endpoint sample codes, and some of it seems outdated.

firebase.auth().currentUser.getToken()

For instance is now: 

firebase.auth().currentUser.getIdToken()

Other Libaries

I've tried to install libraries such as express-authorization-bearer and express-bearer-token, and I could still not catch the idToken.

I'm wondering if this is a NodeJS issue or a Firebase Functions issue. I'm currently using NodeJS v6.11.4

Question

How do I catch the token inside Firebase Functions using Express or any method using NodeJS?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Franz Noel
  • 1,820
  • 2
  • 23
  • 50

1 Answers1

1

The Authorization bearer worked. Here are the results when I console.log(req.headers):

{ 'accept-language': 'en-US,en;q=0.9',
  'accept-encoding': 'gzip, deflate, br',
  referer: 'http://localhost:5000/admin/',
  accept: '*/*',
  'content-type': 'application/json',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36',
  origin: 'http://localhost:5000',
  authorization: 'Bearer something',
  connection: 'close',
  host: 'localhost:5001' }

The token is something in this case

Important notes:

  • The req.headers.authorization does not work with Assigning Multiple Origins, because it gives the error Cannot set headers after they are sent, but it should work easily by allowing any origin and with cors as a middleware:

    var cors = require('cors')({origin: true}); app.use(cors);

    The req.headers.authorization is already securing it, anyway.

  • req.headers.authorization can not be assigned to a parameter, otherwise it will become undefined

  • Using the same documentation from Authorized HTTPS Endpoints, it should completely work only if cors, cookies with cookie-parser plugin, and req.headers.authorization are completely enabled and sent to the firebase-functions endpoint.

Franz Noel
  • 1,820
  • 2
  • 23
  • 50