Firebase功能会话Cookie未在子域上定义 [英] Firebase Function Session Cookie is not defined on subdomain
问题描述
我尝试让Firebase会话Cookies起作用,以在所有子域中保持一项Auth.
I try to get the Firebase Session Cookies to work to keep one Auth across all the subdomains.
现在,我有了子域accounts.mysite.com
,其中已将Cloud Functions以及登录表单路由到了该子域.在此注册后,我将调用云功能:
Now I have the Subdomain accounts.mysite.com
where I have the Cloud Functions routed to as well as the login forms. After registering there I call my Cloud Function:
app.get("/authenticate/sign-in-user", async (req:Request, res:Response) => {
const idToken = req.query.token as string;
const expiresIn = 60 * 60 * 24 * 5 * 1000;
let sessionCookie;
try {
sessionCookie = await auth.createSessionCookie(idToken, { expiresIn,});
} catch (e) {
res.status(401).end("Invalid ID Token");
}
const options = {
maxAge: expiresIn,
httpOnly: true,
secure: false,
domain: ".mysite.com",
};
res.cookie("__session", sessionCookie, options);
res.end(JSON.stringify({ status: "success" }));
});
这很完美,并且设置了会话cookie,现在在我的函数中,该函数检查cookie是否有效并返回数据:
That works perfect and the session cookie is set, now on my function which checks if the cookie is valid and returns the data:
app.get("/authenticate/check-user", async (req:Request, res:Response) => {
try {
const sessionCookie = req.cookies.__session || '';
if (!sessionCookie) res.status(403).send('No Cookie found.');
console.log(sessionCookie);
const decodedClaims = await admin.auth().verifySessionCookie(sessionCookie, true);
console.log(decodedClaims);
res.end(JSON.stringify(decodedClaims));
}
catch (e) {
res.status(401).send('The found Cookie is not valid')
}
});
如果我是直接从accounts.mysite.com
调用它的话,就可以正常工作,但是当我想在诸如hello.mysite.com
的子域中调用check-user函数时,总是会返回403错误.
This works fine if I call it right from the accounts.mysite.com
but when I wanna call the check-user function while on a subdomain like hello.mysite.com
I always get a 403 Error back.
正在检查站点Cookie是否已设置,所以我不确定为什么它在Cloud Function中不可读.
Inspecting the Site the Cookie is set currently so I am not sure why its not readable in the Cloud Function.
推荐答案
还没有尝试过任何方法,但是在查看脚本时,我怀疑在同一域中使用Firebase函数的oAuth出现跨域状态Cookie问题.
Have not tried any of that, but when looking at the script, I'd suspect CSFR protection. I'd try to set secure: true
and also, domain: "mysite.com"
. Just found this, which seems to be related: Cross domain state cookie issue for oAuth using firebase functions while on the same domain.
这篇关于Firebase功能会话Cookie未在子域上定义的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!