0

Final goal: an Angular client receives a token valid for one hour in order to query data from FireStore.

Steps to produce a prove of concept and learn how to work with Custom Tokens:

1 - I created a project in Firebase using firebase tool (https://console.firebase.google.com/project/firetestjimis/overview)

2 - I added Firestore database and created a collection. I chose production instead of test because this POC is aimed for security reasons.

3 - I added manually an user in Firebase/Authentication/Add User

4 - I copied User UID from above user added (it is used bellow)

5 - I created a very simple firebase Cloud Function applications in order to answer back a Custom Token. Basically I ran firebase init and added this code in index.tx

import * as functions from 'firebase-functions';
import * as admin from "firebase-admin";

export const getCustomToken = functions.https.onRequest((request, response) => {
    if (admin.apps.length < 1) {   //Checks if app already initialized
        admin.initializeApp();
    }
    const uid = "UID mentioned above"; 

    admin.auth().createCustomToken(uid)
        .then(function (customToken) {
            console.log(customToken.toString);
            response.send(customToken);
        })
        .catch(function (error) {
            console.log("Error creating custom token:", error);
        });
});

I reached this by following other stackoverflow answer

6 - I succesfully can get a Custom Token from https://us-central1-firetestjimis.cloudfunctions.net/getCustomToken

7 - I can successfully post this Custom Token to https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken and get back idTken like

{
  "kind": "identitytoolkit#VerifyCustomTokenResponse",
  "idToken": "eyJhbGciOiJSUzI1NiI ... .... aMorw",
  "refreshToken": "AE0u-Ney9OJ04Z3xA7ACsmI1S637hXeuCTEdaEU9cxhhPnlwh-9q0X7QpSxVRIYdTdrTgXUbS9Q6yUdAWVeXzhGMiLLLHtwSWSoVSWnZs3Gp1Sb050tThNPQiSsSss8GkCigft3PTBkY4nIbRy3A5dA8FHCLbMYQSfKYqvu8To76UyMVCYONJOM",
  "expiresIn": "3600",
  "isNewUser": false
}

8 - Now I want to post a simple docuemnt to Firestore collection throw 

curl --location --request POST 'https://firestore.googleapis.com/v1/projects/firetestjimis/databases/(default)/documents/transfer' \
--header 'Authorization: Bearer /eyJhbGc ... ... iNaMorw' \
--header 'Content-Type: application/json' \
--data-raw '{
  "fields": {
    "id": {
      "stringValue": "1"
    },      
    "status": {
      "stringValue": "fracasso"
    }
  }
}'

and I get this error:

{
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED"
  }
}

So my main question is: isn't that idToken returned from https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken a valid token to reach the related Firestore?

Jim C
  • 3,957
  • 25
  • 85
  • 162
  • 1
    It appears that you have posted sensitive/private information. Please reset your passwords and/or revoke API keys and tokens, as they are considered compromised when posted on the internet. – Samuel Liew Apr 22 '20 at 09:04

1 Answers1

1

There is a forward slash before the ID token in the header that shouldn't be there:

--header 'Authorization: Bearer /eyJhbGc ... ... iNaMorw' \
                                ^
Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • thanks, my bad. Now I am getting "error": { "code": 403, "message": "Missing or insufficient permissions.", "status": "PERMISSION_DENIED" }. PS. Naturally, I get new Custom Token and post it to googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken again to get a new valid idToken. – Jim C Apr 21 '20 at 13:13
  • I created a specific question regard "insufficient permissions": https://stackoverflow.com/questions/61345129/missing-or-insufficient-permissions-during-post-a-document-to-firestore-using-cu – Jim C Apr 21 '20 at 14:08