const functions = require('firebase-functions/v2')
)So, according to several sources, which I will list at the end, it seems as though the firebase functions will automatically remove all httponly cookies sent other than __session
,
There seems to be no way to control the preflight OPTIONS request to enable httopnly cookies (Access-Control-Allow-Credentials: true
), since it seems that all OPTIONS requests (i.e. preflight requests) are tightly controlled by the firebase functions engine itself, and cannot be modified in the function defintiion functions.https.onRequest
, as those only ever receive the POST/GET/PUT/DELETE request AFTER the preflight is handled.
What confuses me is, how is the __session
cookie even sent under the hood by the official auth library for firebase? If I have the firebase function manually set the __session
cookie as httponly, I have no way to send it back on the next request since if I use the fetch
api with ``credentials: "include"`, it will always trigger the
Request blocked by CORS policy, resposne to preflight request sent Access-Control-Allow-Credentials: '' but Access-Control-Allow-Credentials: 'true' is required for this request
(NOT an exact quote, but close enough)
So in summary
Does anyone know how the firebase authentication client is sending the __session cookie under the hood if the preflight request does not allow Access-Control-Allow-Credentials: true
. Is it using instead non-httponly (js accessible) cookies and sending it in a manual "Cookie: " header from the fetch api or similar ajax?
If I want to implement custom authentication (e.g. custom jwt protocols), should I just migrate away from firebase functions. Should I consider google cloud functions directly (as opposed ot through the firebase ecosystem) or will they have the same restriction. Is it time to move to a vps server, or use NextJS and vercel?
Supporting info:
https://firebase.google.com/docs/auth/admin/manage-cookies
Why doesn't firebase auth support httponly cookie persistence?
I also think it is a good question to understand the secure authentication in Firebase. But any questions related to specific services should be asked to its relevant support department, that's probably the reason for the restriction. Check this out:
According to what I could find out on the internet, this is how the firebase handles the __session
cookie:
Firebase's __session
cookie is not subject to the same CORS restrictions as other cookies.
The Firebase Auth SDK handles the __session
cookie internally. The SDK doesn't rely on the browser's normal cookie-sending mechanisms.
The Firebase Auth SDK reads the __session
cookie value (if it exists) and sends it as a custom header in the request. This bypasses the normal CORS restrictions on cookies.
On the server side (in Firebase Functions), the Firebase runtime intercepts requests and looks for this custom header. If found, it reconstructs the __session
cookie before passing the request to your function code.
This process is transparent to both your client-side and server-side code. You don't need to handle this cookie explicitly in most cases.
Despite not being sent as a normal cookie, the __session
cookie is still protected against cross-site scripting (XSS) attacks because it's handled internally by the Firebase SDK.
This approach allows Firebase to maintain security while working around CORS restrictions that would otherwise prevent the cookie from being sent in cross-origin requests.
Next up for Custom Authentication Implementation you've following options I think:
You can try to use Firebase Custom Authentication
to create custom tokens.
You can use Google Cloud Functions
, it allow you to set custom headers for CORS, including Access-Control-Allow-Credentials. But it needs more manual configuration.
Lastly you can try VPS or NextJS/Vercel
.
You can search for how to do that by mentioning the method on the web, but if it proves to be difficult, reach out to me, so I may be able to help out.
Good Luck π