HTTPS Callable `context.auth` is `null` after updating to latest packages (-tools 11.16)

[brianmhunt]

[REQUIRED] Environment info

$ npx firebase --version
11.16.0

firebase-tools:

Platform:

OS X 12.6

[REQUIRED] Test case

Run a trivial HTTPS callable function in the Functions Emulator. It does not have context.auth, as would be expected.

[REQUIRED] Steps to reproduce

Listener:

  export ping = functions.https.onCall(async (params, context) => {
    if (!context.auth) { throw new Error("Where's the auth?") }
    console.log("Have auth", context.auth)
  })

Call with functions.httpsCallable('ping')(),

[REQUIRED] Expected behavior

context.auth have the expected credentials and output and emulator console show "Have auth" .

[REQUIRED] Actual behavior

Emulator shows "Where's the auth?"

Related:

• context.auth is undefined in callable function using emulator #2059
• context.auth is null in emulator #4690
• https://stackoverflow.com/questions/70349757/the-context-auth-works-in-cloud-but-not-when-using-the-auth-emulator-do-the-fi

Packages / upgrade

This started occurring when we updated some packages, notably:

• firebase-tools 11.6 => 11.16
• firebase 8.4 => 9.13
• firebase-admin 11.0 => 11.3
• firebase-functions 3.22 => 4.0.2

JWT Header

If we print the headers the authentication header has a proper (unsigned) Bearer token e.g. from jwt.io

Deploy vs emulator

The function works as expected when deployed, suggesting this is an emulator problem.

[thecannabisapp]

Try changing params to data like this...

export ping = functions.https.onCall(async (data, context) => {
    if (!context.auth) { throw new Error("Where's the auth?") }
    console.log("Have auth", context.auth)
  })

[brianmhunt]

@chinesehemp I may misunderstand, but renaming an unused argument isn't going to help (because a.) the name is irrelevant and b.) in any case it isn't used). Perhaps you could please clarify what you were thinking might help?

[thecannabisapp]

@brianmhunt I had a similar issue with the emulator and https.onCall functions where I only included context as the arg. So inside the function, I was also finding context.auth was coming back as null. After I included data in the args with context, somehow the function was able to return context.auth again. Not sure exactly why it was happening, but it worked. I thought maybe it might work for you too. I'm using firebase-cli 11.16.0 FYI.

[brianmhunt]

Here's the most trivial repro:

export const ping2 = functions.https.onCall((a, b) => console.log({a, b}))

... and call with

> firebaseFunctions.httpsCallable('ping2')()

The results are:

>  {
>    a: null,
>    b: {
>      rawRequest: IncomingMessage {
>        _readableState: [ReadableState],
>        _events: [Object: null prototype],
>        _eventsCount: 1,
>        _maxListeners: undefined,
>        socket: [Socket],
>        httpVersionMajor: 1,
>        httpVersionMinor: 1,
>        httpVersion: '1.1',
>        complete: true,
>        rawHeaders: [Array],
>        rawTrailers: [],
>        aborted: false,
>        upgrade: false,
>        url: '/',
>        method: 'POST',
>        statusCode: null,
>        statusMessage: null,
>        client: [Socket],
>        _consuming: true,
>        _dumped: false,
>        next: [Function: next],
>        baseUrl: '',
>        originalUrl: '/',
>        _parsedUrl: [Url],
>        params: [Object],
>        query: {},
>        res: [ServerResponse],
>        body: [Object],
>        _body: true,
>        length: undefined,
>        rawBody: <Buffer 7b 22 64 61 74 61 22 3a 6e 75 6c 6c 7d>,
>        route: [Route],
>        [Symbol(kCapture)]: false,
>        [Symbol(kHeaders)]: [Object],
>        [Symbol(kHeadersCount)]: 40,
>        [Symbol(kTrailers)]: null,
>        [Symbol(kTrailersCount)]: 0,
>        [Symbol(RequestTimeout)]: undefined
>      }
>    }
>  }

Version / DevTools:

> firebase.SDK_VERSION
'9.14.0'

 $ npm list |grep -i firebase
functions@ /workspaces/MinuteBox/services/firebase/functions
├── firebase-admin@11.2.1
├── firebase-functions@4.0.2
├── firebase-tools@11.16.0

I'll try to create a repo to demonstrate this but it's a bit odd that everyone using the library isn't encountering this.

[brianmhunt]

Interestingly, even after downgrading all the packages the problem continues to exhibit i.e. reverting the following updates:

• firebase-tools 11.6 => 11.16
• firebase 8.4 => 9.13
• firebase-admin 11.0 => 11.3
• firebase-functions 3.22 => 4.0.2

[brianmhunt]

Noting that when I add this debugging info:

It says:

TOKENS STASTUS:::⭐️ { tokenStatus: { app: 'MISSING', auth: 'MISSING' } }

[brianmhunt]

What's particularly peculiar is that the Authorziation header is clearly being sent:

but in firebase-functions/lib/common/providers/https.js@checkAuthToken:

we don't see that header:

>  REQ AUTH ⭐️  undefined {
>    host: 'localhost:7902',
>    connection: 'keep-alive',
>    'content-length': '13',
>    pragma: 'no-cache',
>    'cache-control': 'no-cache',
>    'sec-ch-ua': '"Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"',
>    'content-type': 'application/json',
>    'sec-ch-ua-mobile': '?0',
>    'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36',
>    'sec-ch-ua-platform': '"macOS"',
>    accept: '*/*',
>    origin: 'http://localhost:7100',
>    'sec-fetch-site': 'same-site',
>    'sec-fetch-mode': 'cors',
>    'sec-fetch-dest': 'empty',
>    referer: 'http://localhost:7100/',
>    'accept-encoding': 'gzip, deflate, br',
>    'accept-language': 'en-CA,en;q=0.9,fr-CA;q=0.8,fr;q=0.7,en-US;q=0.6',
>    'x-original-auth': 'Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJhY2NvdW50cyI6eyJlbXUtMDAxIjp7ImFkbWluIjp0cnVlLCJiaWxsaW5nQWRtaW4iOmZhbHNlLCJ0ZWFtRmlsdGVyS2V5cyI6W10sInVzZXIiOnRydWV9fSwib3RwIjpmYWxzZSwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYXV0aF90aW1lIjoxNjY4MjY2ODczLCJ1c2VyX2lkIjoidWlkLS1hZG1pbkBleGFtcGxlLmNvbSIsImZpcmViYXNlIjp7ImlkZW50aXRpZXMiOnsiZW1haWwiOlsiYWRtaW5AZXhhbXBsZS5jb20iXX0sInNpZ25faW5fcHJvdmlkZXIiOiJwYXNzd29yZCJ9LCJpYXQiOjE2NjgyNjY4ODQsImV4cCI6MTY2ODI3MDQ4NCwiYXVkIjoiZGVtby1taW51dGVib3gtZW11bGF0aW9uIiwiaXNzIjoiaHR0cHM6Ly9zZWN1cmV0b2tlbi5nb29nbGUuY29tL2RlbW8tbWludXRlYm94LWVtdWxhdGlvbiIsInN1YiI6InVpZC0tYWRtaW5AZXhhbXBsZS5jb20ifQ.',
>    'x-callable-context-auth': '%7B%22uid%22%3A%22uid--admin%40example.com%22%2C%22token%22%3A%7B%22accounts%22%3A%7B%22emu-001%22%3A%7B%22admin%22%3Atrue%2C%22billingAdmin%22%3Afalse%2C%22teamFilterKeys%22%3A%5B%5D%2C%22user%22%3Atrue%7D%7D%2C%22otp%22%3Afalse%2C%22email%22%3A%22admin%40example.com%22%2C%22email_verified%22%3Afalse%2C%22auth_time%22%3A1668266873%2C%22user_id%22%3A%22uid--admin%40example.com%22%2C%22firebase%22%3A%7B%22identities%22%3A%7B%22email%22%3A%5B%22admin%40example.com%22%5D%7D%2C%22sign_in_provider%22%3A%22password%22%7D%2C%22iat%22%3A1668266884%2C%22exp%22%3A1668270484%2C%22aud%22%3A%22demo-minutebox-emulation%22%2C%22iss%22%3A%22https%3A%2F%2Fsecuretoken.google.com%2Fdemo-minutebox-emulation%22%2C%22sub%22%3A%22uid--admin%40example.com%22%2C%22uid%22%3A%22uid--admin%40example.com%22%7D%7D'
>  }

... suggesting it's being scrubbed somewhere.

[brianmhunt]

Possibly related: #2910

[brianmhunt]

It looks suspiciously like the problem is intertwined with cors/lib/index.js, but I can't test it at the moment.

[brianmhunt]

Noting that if I add logging at runFunction in firebase-tools/lib/emulator/functionsEmulatorRuntime.ts like this:

    await runFunction(() => {
console.log(`⭐️  ⭐️  args `, args[0], args[1])
        return trigger(args[0], args[1]);
    });

I see logging that includes the Authorization Bearer token:

 rawHeaders: [
...
   'Bearer eyJ...',

So the authorization header would seem to be removed between the start/end points on the stack trace:

>      at /workspaces/repo/services/firebase/functions/dist/index.js:233025:19
>      at /workspaces/repo/services/firebase/functions/dist/index.js:233016:21
>      at cors2 (/workspaces/repo/services/firebase/functions/dist/index.js:232703:11)
>      at /workspaces/repo/services/firebase/functions/dist/index.js:232735:21
>      at originCallback (/workspaces/repo/services/firebase/functions/dist/index.js:232726:19)
>      at /workspaces/repo/services/firebase/functions/dist/index.js:232730:17
>      at optionsCallback (/workspaces/repo/services/firebase/functions/dist/index.js:232712:13)
>      at corsMiddleware (/workspaces/repo/services/firebase/functions/dist/index.js:232716:11)
>      at /workspaces/repo/services/firebase/functions/dist/index.js:233015:31
>      at new Promise (<anonymous>)
>      at /workspaces/repo/services/firebase/functions/dist/index.js:233013:16
>      at /workspaces/repo/services/end-to-end-tests/node_modules/firebase-tools/lib/emulator/functionsEmulatorRuntime.js:531:16
>      at runFunction (/workspaces/repo/services/end-to-end-tests/node_modules/firebase-tools/lib/emulator/functionsEmulatorRuntime.js:504:15)
>      at runHTTPS (/workspaces/repo/services/end-to-end-tests/node_modules/firebase-tools/lib/emulator/functionsEmulatorRuntime.js:529:11)
>      at /workspaces/repo/services/end-to-end-tests/node_modules/firebase-tools/lib/emulator/functionsEmulatorRuntime.js:695:27
>      at Layer.handle [as handle_request] (/workspaces/repo/services/end-to-end-tests/node_modules/firebase-tools/node_modules/express/lib/router/layer.js:95:5)