node.jsfirebaseoauthgoogle-cloud-functionscross-domain

Cross domain state cookie issue with proxied Firebase Functions

I developed a oAuth login using this example. The problem first problem encountered was the state cookie validation if third-party cookies are disabled in the browser (now by default). As suggested by this answer, I proxied the functions.

So I proxied the functions using Hosting rewrites so you are in the same domain and the server cookie that the first redirect function sets seems to be in the same domain as the app. So this is what happens

  1. User is redirected to a cloud function that sets the cookie and redirects the user to the third party auth provider
  2. User signs in
  3. User is redirected to the app again, the app gets the authorization code and redirects the user to the token function
  4. The token function tries to read the state cookie, but there is no cookie at all

When I try to read the cookies from the token function

[Object: null prototype] {}

This are the hosting rewrites

"hosting": {
...
"rewrites":  [
  {
    "source": "/redirect",
    "function": "redirect"
  },
  {
    "source": "/token**",
    "function": "token"
  },
  {
    "source": "**",
    "destination": "/index.html"
  }
],

This is the redirect function

exports.redirect = functions.https.onRequest((req, res) => {
  cookieParser()(req, res, () => {
    const redirect_uri = `https://${process.env.GCLOUD_PROJECT}.firebaseapp.com/auth.html`
    const state = req.cookies.state || crypto.randomBytes(20).toString('hex')
    const authorizationUri = fedidClient().authorizationCode.authorizeURL({
      redirect_uri: redirect_uri,
      scope: OAUTH_SCOPES,
      state: state,
    })
    res.cookie('state', state.toString(), {
      maxAge: 3600000,
      secure: true,
      httpOnly: true,
    })
    res.redirect(authorizationUri)
  })
})

This is the token function

exports.token = functions.https.onRequest((req, res) => {
  const redirect_uri = `https://${process.env.GCLOUD_PROJECT}.firebaseapp.com/auth.html`  
  try {
    return cookieParser()(req, res, async () => {
        if (!req.cookies.state) {
          throw new Error(
            'State cookie not set or expired. Maybe you took too long to authorize. Please try again.'
          )
        }
      const tokenConfig = {
        code: req.query.code,
        redirect_uri: redirect_uri,
        scope: OAUTH_SCOPES,
      }
      const result = await fedidClient().authorizationCode.getToken(tokenConfig)
      const accessToken = fedidClient().accessToken.create(result)

      let user = {}
      await getUserInfo(accessToken)
        .then((result) => result.json())
        .then((json) => (user = json))

      // Create a Firebase account and get the Custom Auth Token.
      const firebaseToken = await createFirebaseAccount(
        user.uid,
        user.displayName,
        user.mail,
        accessToken.token.access_token
      )

      res.jsonp({
        token: firebaseToken,
      })
    })
  } catch (error) {
    return res.status(500).jsonp({ error: error.toString })
  }
})

Why the cookie is not passed through the second cloud function? The code works correctly if rewrites are disabled and third-party cookies are enabled.

Solution

  • You've probably inadvertently discovered the caching feature in Firebase Hosting that strips all cookies except __session.

    When using Firebase Hosting together with Cloud Functions or Cloud Run, cookies are generally stripped from incoming requests. This is necessary to allow for efficient CDN cache behavior. Only the specially-named __session cookie is permitted to pass through to the execution of your app.

    Source

    Try renaming your cookie to __session and see if that fixes it.