Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth Emulator does not update auth_time when updating user #5990

Open
ekimekim opened this issue Jun 15, 2023 · 2 comments
Open

Auth Emulator does not update auth_time when updating user #5990

ekimekim opened this issue Jun 15, 2023 · 2 comments
Assignees
@kroikie @aalej
Labels
emulators: auth type: bug

Comments

@ekimekim
Copy link

I've encountered a difference in the behaviour of auth_time between the Firebase Auth emulator and the real Firebase Auth service.
When updating a user's email (potentially other fields too, I have only tested with email) and requesting a new token at the same time,
the returned token's auth_time is unchanged, but the user's validSince is updated so that the returned token is immediately invalid.
In the real service, the same operation results in a token with an updated auth_time that matches the new validSince.

I believe this is due to #3608 which made auth_time always match lastLoginAt.
The modern code that does the same thing is here:

firebase-tools/src/emulator/auth/operations.ts

Line 2418 in d4d1952

if (user.lastLoginAt != null) {

When the email is updated, the lastLoginAt is not (which matches the real service's behaviour) but in this case auth_time should diverge from lastLoginAt and be updated.

It seems that the auth emulator does not currently compare auth_time in the token to validSince when accepting tokens, it compares iat instead. However firebase-admin-node does. I looked at firebase-admin-java and it seems to compare to iat only, at least at first glance. So it may be that the validation issue is a firebase-admin-node bug, not a firebase-tools one. But the auth_time still acts differently here compared to the real service so I think even in that case it's still worth fixing.

[REQUIRED] Environment info

firebase-tools: 11.19.0
firebase-admin-node: 11.2.0

Platform: Debian 10

[REQUIRED] Steps to reproduce

  1. Create a user with accounts:signUp and {"returnSecureToken": true}
  2. Wait a few seconds.
  3. Update the user with accounts:update, with {"email": "test@example.com", "idToken": <token from step 1>, "returnSecureToken": true}
  4. Attempt to validate the token from step 3 using firebase-admin's verifyIdToken method

[REQUIRED] Expected behavior

The token from step 3 validates correctly

[REQUIRED] Actual behavior

The token fails to validate due to auth_time being before validSince.
@google-oss-bot
Copy link
Contributor

This issue does not seem to follow the issue template. Make sure you provide all the required information.

@joehan
Copy link
Contributor

joehan commented Jun 20, 2023

Thanks for reporting this @ekimekim! It seems like you correctly identified the issue here - feel free to make a PR if you feel up for it! Otherwise, someone from the Auth emulator team will take a look shortly

@joehan joehan closed this as completed Jun 20, 2023
@joehan joehan reopened this Jun 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kroikie kroikie

@aalej aalej

Labels
emulators: auth type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ekimekim @kroikie @joehan @google-oss-bot @aalej