I'm trying to create an authentification system using firebase, cloud function and express
I've follow this guide for my express app mixed with the Google Docs about cookies.
Here's my server code
index.ts
import { cors } from "./middlewares/cors";
import { initFirebase } from "./utils/firebase";
import { IRoutes } from "./interfaces";
import { routes } from "./routes";
import * as cookieParser from "cookie-parser";
import * as bodyParser from "body-parser";
import * as Express from "express";
import * as functions from "firebase-functions";
// firebase initialize
initFirebase();
// REST API routes
routes.forEach((routerObj: IRoutes) => {
const app = Express();
app.use(cookieParser());
app.use(cors);
app.use(bodyParser.json());
app.use(
bodyParser.urlencoded({
extended: true
})
);
// export routes individually for cloud functions
app.use(routerObj.router);
exports[routerObj.name] = functions.region("europe-west1").https.onRequest(app);
});
cors.ts
import * as Cors from "cors";
const options: Cors.CorsOptions = {
credentials: true,
methods: "GET,OPTIONS,POST,DELETE,HEAD,PATCH",
preflightContinue: false,
origin: "*"
};
export const cors = Cors(options);
my api route for login
router.post("/login", async (req: Request, res: Response) => {
const { idToken } = JSON.parse(req.body).data;
// // Guard against CSRF attacks.
// if (csrfToken !== req.cookies.csrfToken) {
// res.status(401).send("UNAUTHORIZED REQUEST!");
// return;
// }
// Set session expiration to 5 days.
const expiresIn = 60 * 60 * 24 * 5 * 1000;
try {
const sessionCookie = await admin.auth().createSessionCookie(idToken, { expiresIn });
const options: CookieOptions = {
signed: false,
maxAge: expiresIn,
httpOnly: false,
secure: false
};
res.setHeader("Cache-Control", "private");
res.cookie("__session", sessionCookie, options);
res.status(200).send({ cookies: req.cookies });
} catch (e) {
console.error(e);
res.status(401).send("UNAUTHORIZED REQUEST!");
}
});
my api route to check connexion status
router.post("/status", async (req: Request, res: Response) => {
const sessionCookie = req.cookies.__session || "";
try {
const decodedClaims = await admin.auth().verifySessionCookie(sessionCookie!, true);
console.log("decodedClaims: ", decodedClaims);
res.end(JSON.stringify({ data: { decodedClaims } }));
// res.redirect("/profile");
} catch (e) {
console.error(e);
res.status(401).send("UNAUTHORIZED REQUEST!");
}
and then how I call the api from my client side (http://localhost:3001)
const idToken = await user.getIdToken();
try {
await fetch("http://localhost:5003/test/europe-west1/user/login",
{
method: "POST",
headers: {
ContentType: "application/json",
Accept: "application/json"
},
body: JSON.stringify({
data: {
idToken
}
})
}
);
} catch (e) {
console.error(e);
}
First point, no __session cookie's created with this code. However, the response of the request is
But nothing in the cookies section of the browser and when I try to get it with req.cookies.__session
Nevertheless if I try to fetch http://localhost:5003/test/europe-west1/user/login directly from the same origin, everything work
I suggest the problem come from cross-origin authorizations
I've checked a lot a issues about this
firebase cloud function won't store cookie named other than "__session"
Express - Firebase - Check undefined req.cookie.__session without throwing error
And more, but nothing work
