firebasefirebase-authenticationgoogle-cloud-functionsfetch-apisession-cookies

Need clarification on httponly cookie restrictions on firebase functions (v2)


So, according to several sources, which I will list at the end, it seems as though the firebase functions will automatically remove all httponly cookies sent other than __session,

There seems to be no way to control the preflight OPTIONS request to enable httopnly cookies (Access-Control-Allow-Credentials: true), since it seems that all OPTIONS requests (i.e. preflight requests) are tightly controlled by the firebase functions engine itself, and cannot be modified in the function defintiion functions.https.onRequest, as those only ever receive the POST/GET/PUT/DELETE request AFTER the preflight is handled.

What confuses me is, how is the __session cookie even sent under the hood by the official auth library for firebase? If I have the firebase function manually set the __session cookie as httponly, I have no way to send it back on the next request since if I use the fetch api with ``credentials: "include"`, it will always trigger the Request blocked by CORS policy, resposne to preflight request sent Access-Control-Allow-Credentials: '' but Access-Control-Allow-Credentials: 'true' is required for this request (NOT an exact quote, but close enough)

So in summary

  1. Does anyone know how the firebase authentication client is sending the __session cookie under the hood if the preflight request does not allow Access-Control-Allow-Credentials: true. Is it using instead non-httponly (js accessible) cookies and sending it in a manual "Cookie: " header from the fetch api or similar ajax?

  2. If I want to implement custom authentication (e.g. custom jwt protocols), should I just migrate away from firebase functions. Should I consider google cloud functions directly (as opposed ot through the firebase ecosystem) or will they have the same restriction. Is it time to move to a vps server, or use NextJS and vercel?

Supporting info:

https://firebase.google.com/docs/auth/admin/manage-cookies

Why doesn't firebase auth support httponly cookie persistence?


Solution

  • Hi, First of all I'm no expert on the subject so I will just be sharing my opinion that to my limited knowledge is correct. So, please be lenient if this proves to be not useful.

    I also think it is a good question to understand the secure authentication in Firebase. But any questions related to specific services should be asked to its relevant support department, that's probably the reason for the restriction. Check this out:

    Why cant I ask customer service related questions


    According to what I could find out on the internet, this is how the firebase handles the __session cookie:

    This approach allows Firebase to maintain security while working around CORS restrictions that would otherwise prevent the cookie from being sent in cross-origin requests.


    Next up for Custom Authentication Implementation you've following options I think:

    You can search for how to do that by mentioning the method on the web, but if it proves to be difficult, reach out to me, so I may be able to help out.


    Good Luck πŸ‘