You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've encountered a difference in the behaviour of auth_time between the Firebase Auth emulator and the real Firebase Auth service.
When updating a user's email (potentially other fields too, I have only tested with email) and requesting a new token at the same time,
the returned token's auth_time is unchanged, but the user's validSince is updated so that the returned token is immediately invalid.
In the real service, the same operation results in a token with an updated auth_time that matches the new validSince.
I believe this is due to #3608 which made auth_time always match lastLoginAt.
The modern code that does the same thing is here:
When the email is updated, the lastLoginAt is not (which matches the real service's behaviour) but in this case auth_time should diverge from lastLoginAt and be updated.
It seems that the auth emulator does not currently compare auth_time in the token to validSince when accepting tokens, it compares iat instead. However firebase-admin-node does. I looked at firebase-admin-java and it seems to compare to iat only, at least at first glance. So it may be that the validation issue is a firebase-admin-node bug, not a firebase-tools one. But the auth_time still acts differently here compared to the real service so I think even in that case it's still worth fixing.
Thanks for reporting this @ekimekim! It seems like you correctly identified the issue here - feel free to make a PR if you feel up for it! Otherwise, someone from the Auth emulator team will take a look shortly
I've encountered a difference in the behaviour of
auth_time
between the Firebase Auth emulator and the real Firebase Auth service.When updating a user's email (potentially other fields too, I have only tested with email) and requesting a new token at the same time,
the returned token's
auth_time
is unchanged, but the user'svalidSince
is updated so that the returned token is immediately invalid.In the real service, the same operation results in a token with an updated
auth_time
that matches the newvalidSince
.I believe this is due to #3608 which made
auth_time
always matchlastLoginAt
.The modern code that does the same thing is here:
firebase-tools/src/emulator/auth/operations.ts
Line 2418 in d4d1952
When the email is updated, the lastLoginAt is not (which matches the real service's behaviour) but in this case
auth_time
should diverge fromlastLoginAt
and be updated.It seems that the auth emulator does not currently compare
auth_time
in the token tovalidSince
when accepting tokens, it comparesiat
instead. Howeverfirebase-admin-node
does. I looked atfirebase-admin-java
and it seems to compare toiat
only, at least at first glance. So it may be that the validation issue is afirebase-admin-node
bug, not afirebase-tools
one. But theauth_time
still acts differently here compared to the real service so I think even in that case it's still worth fixing.[REQUIRED] Environment info
firebase-tools: 11.19.0
firebase-admin-node: 11.2.0
Platform: Debian 10
[REQUIRED] Steps to reproduce
accounts:signUp
and{"returnSecureToken": true}
accounts:update
, with{"email": "test@example.com", "idToken": <token from step 1>, "returnSecureToken": true}
firebase-admin
'sverifyIdToken
method[REQUIRED] Expected behavior
The token from step 3 validates correctly
[REQUIRED] Actual behavior
The token fails to validate due to
auth_time
being beforevalidSince
.The text was updated successfully, but these errors were encountered: