Skip to content

Firestore - token doesn't update in the Firestore Rules #1499

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#1692
Closed
Firestore - token doesn't update in the Firestore Rules#1499
#1692
Labels
api: firestore
Milestone
 
5.7.0
@sanks

Description

@sanks
sanks
opened on Jul 6, 2018
  • Xcode version: 9.4.1
  • Firebase SDK version: 5.4.0
  • Firebase Component: Firestore
  • Component version: 0.12.5

The problem

After setup custom claims for a user through the Cloud Functions - the token (and custom claims together with it) weren't updated in Firestore Rules.

Even after calling getIDTokenForcingRefresh(true) the Rule doesn't allow to get a document. However, in the app, I see that the token was updated and contains my custom claim.

Only sign out and sign in again helps. But it's not good for the user...

The problem is exactly and only with Firestore Rules section. I checked the Storage Rules section with the similar rules - and the token/custom claims were updated here. Also, I checked the Cloud Functions context - the token/custom claims were updated here as well.

Steps to reproduce:

  1. Setup Firestore rules based on custom claims.
  2. Update user's custom claims through a Firebase Function
  3. Call getIDTokenForcingRefresh(true)
  4. Try to get a document that should be available only for the user with the certain custom claim.
  5. Unable to get the document because of lack of permissions

Relevant Code:

Firestore Rules:

service cloud.firestore {
    match /databases/{database}/documents {
        match /items/{itemId} {
            allow read: if request.auth.token.customField == true;
        }
    }
}

Cloud Function:

const myFunction = function (data, context) {
    return FirebaseAdmin.auth().setCustomUserClaims(uid, {
	customField: true
    });
}

Function call and token refresh

functions.httpsCallable("my-function").call() { (result, error) in
    if let error = error {
        debugPrint(error)
        return
    }
    Auth.auth().currentUser?.getIDTokenResult(forcingRefresh: true, completion: { (result, error) in
        debugPrint(result?.claims["customField"]) // equals to true here, but...
        db.document("items/1").getDocument { (document, error) in
            debugPrint(document.documentID) // nil
            debugPrint(document.exists) // false
            // but the document exists in the Firestore for sure 
            // and if disable firestore rule or sign-out and sign-in again it works
        }
    })
}

Metadata

Assignees

No one assigned

    Labels

    api: firestore

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions