Skip to content

Re-establish streams when App Check token expires. #5902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jan 26, 2022
Merged

Re-establish streams when App Check token expires. #5902

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fb27ee5
Re-establish streams when App Check token expires.
ehsannas Jan 18, 2022
3da0c5b
Create happy-badgers-leave.md
ehsannas Jan 18, 2022
016631e
Better patch message.
ehsannas Jan 24, 2022
c9c0386
better patch message.
ehsannas Jan 24, 2022
d01b6e7
address comments.
ehsannas Jan 24, 2022
e9123f3
Remove outdated comment.
ehsannas Jan 24, 2022
27702c1
Update packages/firestore/src/core/firestore_client.ts
ehsannas Jan 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changeset/happy-badgers-leave.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
"@firebase/firestore": patch
---

Fixed an AppCheck issue that caused Firestore listeners to stop working and
receive a "Permission Denied" error. This issue only occurred for AppCheck users
that set their expiration time to under an hour.
19 changes: 17 additions & 2 deletions packages/firestore/src/core/firestore_client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,10 @@ export class FirestoreClient {
private readonly clientId = AutoId.newId();
private authCredentialListener: CredentialChangeListener<User> = () =>
Promise.resolve();
private appCheckCredentialListener: (
appCheckToken: string,
user: User
) => Promise<void> = () => Promise.resolve();

offlineComponents?: OfflineComponentProvider;
onlineComponents?: OnlineComponentProvider;
Expand All @@ -122,8 +126,10 @@ export class FirestoreClient {
await this.authCredentialListener(user);
this.user = user;
});
// Register an empty credentials change listener to activate token refresh.
this.appCheckCredentials.start(asyncQueue, () => Promise.resolve());
this.appCheckCredentials.start(asyncQueue, newAppCheckToken => {
logDebug(LOG_TAG, 'Received new app check token=', newAppCheckToken);
return this.appCheckCredentialListener(newAppCheckToken, this.user);
});
}

async getConfiguration(): Promise<ComponentConfiguration> {
Expand All @@ -142,6 +148,12 @@ export class FirestoreClient {
this.authCredentialListener = listener;
}

setAppCheckTokenChangeListener(
listener: (appCheckToken: string, user: User) => Promise<void>
): void {
this.appCheckCredentialListener = listener;
}

/**
* Checks that the client has not been terminated. Ensures that other methods on
* this class cannot be called after the client is terminated.
Expand Down Expand Up @@ -234,6 +246,9 @@ export async function setOnlineComponentProvider(
client.setCredentialChangeListener(user =>
remoteStoreHandleCredentialChange(onlineComponentProvider.remoteStore, user)
);
client.setAppCheckTokenChangeListener((appCheckToken, user) =>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
client.setAppCheckTokenChangeListener((appCheckToken, user) =>
client.setAppCheckTokenChangeListener((_, user) =>

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the AppCheckTokenListener really return the user?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AppCheckTokenListener only provides the new app check token, not the user. I take the new app check token, as well as the latest user from the firestore_client to call remoteStoreHandleCredentialChange.

remoteStoreHandleCredentialChange needs to know the latest user because if the user has changed, it'll do a bunch of things related to user changes. By passing it the current user, that logic will be bypassed and only the restarting of the streams occurs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, this is a bit of a strange API as the user has nothing to do with the AppCheck token. But I see that this simplifies things a bit, as you otherwise have to manage the current user in yet another place. Let's leave as is for now and remove once the backend fixes the underlying issue.

remoteStoreHandleCredentialChange(onlineComponentProvider.remoteStore, user)
);
client.onlineComponents = onlineComponentProvider;
}

Expand Down