Missing permission for Firestore with Firebase 8.0.1

[ghivert]

Describe your environment

• Operating System version: macOS 10.15.7
• Browser version: Chrome 86.0
• Firebase SDK version: 8.0.1
• Firebase Product: Authentication + Firestore

Describe the problem

I just upgraded Firebase from v7.21.0 to v8.0.1 and spotted a bug on Firestore. When creating a user, I’m creating a custom claim for the user. In my Firestore Rules, I’m using the custom claim to enable access. The first time I’m querying Firestore, I receive a Missing permission. After reloading the page, the exact same code loads without issue. The issue is not there on 7.21.0.

Steps to reproduce:

Set a custom claim right after creating user with email and password, and then try loading a document from Firestore with the custom claim as condition.

Relevant Code:

Those are extracts from my configurations with names changed.

match /example/{eid} {
  allow read: if
    eid in request.auth.token &&
    request.auth.token[eid] != null;
  allow update: if false;
  allow write: if false;
}

// backend part
const user = await admin.auth().getUser(id)
const customClaims = user.customClaims || {}
await admin.auth().setCustomUserClaims(id, {
  [example.id]: 'member',
  ...customClaims,
})

// frontend part
const query = async () => {
  try {
    await user.getIdTokenResult(true)
    return await firestore.collection('example').doc(example.id).get()
  } catch (error) {
    return query()
  }
}
query()  // This raise an issue. Then after reload it works.

[ghivert]

I wanted to confirm the bug while enjoying the new emulators, so I tried different version: the bug is present on v8.0.1 but not on v8.0.0.

The exact error message:

FirebaseError: Missing or insufficient permissions.
    at new Nr (http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:45522)
    at http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:169449
    at cf.onMessage (http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:170279)
    at http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:168331
    at http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:168736
    at http://localhost:3000/__/firebase/8.0.1/firebase-firestore.js:1:113756

I’m using the emulator to get the Firebase SDK, so my index.html is as follows:

<html>
  <!-- Things here… -->
  <body>
    <!-- Other things here… -->
    <script src="/__/firebase/8.0.1/firebase-app.js"></script>
    <script src="/__/firebase/8.0.1/firebase-auth.js"></script>
    <script src="/__/firebase/8.0.1/firebase-firestore.js"></script>
    <script src="/__/firebase/8.0.1/firebase-storage.js"></script>
    <script src="/__/firebase/8.0.1/firebase-functions.js"></script>
    <!-- <script src="/__/firebase/8.0.1/firebase-analytics.js"></script> -->
    <script src="/__/firebase/8.0.1/firebase-performance.js"></script>
    <script src="/__/firebase/init.js"></script>
  </body>
</html>

[sam-gc]

Hi, thanks for filing this.

Are you seeing this bug only when interacting with the emulators, or is it happening in production as well?

[ghivert]

Hi,

It’s happening with the emulators and with a production release when switching from v8.0.0 to v8.0.1

[sam-gc]

Okay, thanks. Another question (trying to determine if this is on the Auth side or the Firestore side): if you inspect the results of await user.getIdTokenResult(true), do you see your custom claims in the claims field?

[ghivert]

Yes, the await user.getIdTokenResult(true) shows properly my [example.id]: 'member' claim, so the backend is running smoothly. Do you need a small reproducible bug (I can try to do it, but not now), or is it enough for you?

[thebrianchen]

@ghivert I tried reproducing this at v8.0.1, but it seemed to work for me. How are you splitting the backend and frontend functionality in your code? Could you please provide a small repro?

[google-oss-bot]

Hey @ghivert. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[google-oss-bot]

Since there haven't been any recent updates here, I am going to close this issue.

@ghivert if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

[molimauro]

Exact same problem unfortunately. After creating a user and setting via Cloud Functions a custom claim, the first update fails even after the firebase.auth().currentUser.getIdToken(true) (I also checked that the claims are present on the client). Instead, if I wait some seconds before calling the update, the problem is not present.
I'm using the firestore and functions emulator but not the auth one. Hope this helps, thanks!

[ghivert]

I can try to provide a small reproducible example, but not before next week. :(

[molimauro]

Same as #4175? :)