Firebase功能会话Cookie未在子域上定义 [英] Firebase Function Session Cookie is not defined on subdomain

问题描述

我尝试让Firebase会话Cookies起作用，以在所有子域中保持一项Auth.

I try to get the Firebase Session Cookies to work to keep one Auth across all the subdomains.

现在，我有了子域accounts.mysite.com，其中已将Cloud Functions以及登录表单路由到了该子域.在此注册后，我将调用云功能:

Now I have the Subdomain accounts.mysite.com where I have the Cloud Functions routed to as well as the login forms. After registering there I call my Cloud Function:

app.get("/authenticate/sign-in-user",  async (req:Request, res:Response) => {
    const idToken = req.query.token as string;
    const expiresIn = 60 * 60 * 24 * 5 * 1000;
    let sessionCookie;

    try {
        sessionCookie = await auth.createSessionCookie(idToken, { expiresIn,});
    } catch (e) {
        res.status(401).end("Invalid ID Token");
    }

    const options = {
        maxAge: expiresIn,
        httpOnly: true,
        secure: false,
        domain: ".mysite.com",
    };

    res.cookie("__session", sessionCookie, options);

    res.end(JSON.stringify({ status: "success" }));
});

这很完美，并且设置了会话cookie，现在在我的函数中，该函数检查cookie是否有效并返回数据:

That works perfect and the session cookie is set, now on my function which checks if the cookie is valid and returns the data:

app.get("/authenticate/check-user", async (req:Request, res:Response) => {
    try {
        const sessionCookie = req.cookies.__session || '';
        if (!sessionCookie) res.status(403).send('No Cookie found.');

        console.log(sessionCookie);
    
        const decodedClaims = await admin.auth().verifySessionCookie(sessionCookie, true);
        console.log(decodedClaims);
        res.end(JSON.stringify(decodedClaims));
    }
    catch (e) {
        res.status(401).send('The found Cookie is not valid')
    }
});

如果我是直接从accounts.mysite.com调用它的话，就可以正常工作，但是当我想在诸如hello.mysite.com的子域中调用check-user函数时，总是会返回403错误.

This works fine if I call it right from the accounts.mysite.com but when I wanna call the check-user function while on a subdomain like hello.mysite.com I always get a 403 Error back.

正在检查站点Cookie是否已设置，所以我不确定为什么它在Cloud Function中不可读.

Inspecting the Site the Cookie is set currently so I am not sure why its not readable in the Cloud Function.

推荐答案

还没有尝试过任何方法，但是在查看脚本时，我怀疑在同一域中使用Firebase函数的oAuth出现跨域状态Cookie问题.

Have not tried any of that, but when looking at the script, I'd suspect CSFR protection. I'd try to set secure: true and also, domain: "mysite.com". Just found this, which seems to be related: Cross domain state cookie issue for oAuth using firebase functions while on the same domain.

这篇关于Firebase功能会话Cookie未在子域上定义的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！