为什么我不能将`allAuthenticatedUsers`用于我的Firebase Cloud功能? [英] Why can't I use `allAuthenticatedUsers` for my Firebase Cloud Function?
问题描述
在使用 Firebase CLI 部署Firebase功能时,请对其进行配置,以使
When deploying Firebase Functions using the Firebase CLI, they are configured so that the Cloud Functions Invoker permission is granted to allUsers. With such a setting the code below functions as expected.
还可以将 Cloud Functions Invoker 权限授予 allAuthenticatedUsers .但是,当我为 addMessage 实施此更改时,使用以下代码只会收到 UNAUTHENTICATED 错误响应.
The Cloud Functions Invoker permission can also be granted to allAuthenticatedUsers. However, when I implement this change for addMessage, I only ever get a UNAUTHENTICATED error response using the code below.
为什么 allAuthenticatedUsers 不能使用此Firebase Cloud功能?
Why won't allAuthenticatedUsers work for this Firebase Cloud Function?
注意:该问题解答是 Furkan Yurdakul ,说明为什么 allAuthenticatedUsers 无法为其Firebase应用程序使用Firebase Callable Function
Note: This Q&A is a result of a now-deleted question posted by Furkan Yurdakul, regarding why allAuthenticatedUsers wasn't working with his Firebase Callable Function for his Firebase app
MWE based on the documentation, with addMessage defined here:
firebase.auth().signInAnonymously() // for the sake of the MWE, this will normally be Facebook, Google, etc
.then((credential) => {
// logged in successfully, call my function
const addMessage = firebase.functions().httpsCallable('addMessage');
return addMessage({ text: messageText });
})
.then((result) => {
// Read result of the Cloud Function.
const sanitizedMessage = result.data.text;
alert('The sanitized message is: ' + sanitizedMessage);
})
.catch((error) => {
// something went wrong, keeping it simple for the MWE
const errorCode = error.code;
const errorMessage = error.message;
if (errorCode === 'auth/operation-not-allowed') {
alert('You must enable Anonymous auth in the Firebase Console.');
} else {
console.error(error);
}
});
推荐答案
简单地讲,如果传递给Cloud Function的ID令牌表示一个Google帐户(该帐户通过
Simply put, if the ID token passed to a Cloud Function represents a Google account (that used Google Sign-In through Firebase or Google itself), it works, otherwise, it doesn't.
将 allAuthenticatedUsers 视为 allAuthenticatedGoogleUsers ,而不是 allAuthenticatedFirebaseUsers .
对于与Firebase客户端SDK一起使用的可调用的Firebase函数,您通常会授予 allUsers 调用它的权限(已部署默认设置 Firebase CLI 功能).
For Callable Firebase Functions used with the Firebase Client SDKs, you will normally grant allUsers the permission to call it (the default setting Firebase CLI deployed functions).
针对Google Cloud Functions的有效的经过身份验证的客户端请求授权:承载ID_TOKEN 标头(首选)或?access_token = ID_TOKEN .在这里, ID_TOKEN 是已登录的Google用户的ID令牌,它是 JWT .
A valid authenticated client request for a Google Cloud Functions must have an Authorization: Bearer ID_TOKEN header (preferred) or ?access_token=ID_TOKEN. Here, ID_TOKEN is a signed-in Google user's ID token as a JWT.
Firebase Client SDK调用可调用函数时,它们会使用当前用户的 context中使用用户的身份验证令牌.参数的 onCall() 函数.但是重要的是,Firebase用户的ID令牌并不总是代表Google用户,这使其与 allAuthenticatedUsers 不兼容.
When Firebase Client SDKs call a Callable Function, they set the Authorization header for you with the current user's ID token (if the user is signed in, here). This is done so that the user's authentication token can be used in the context parameter of onCall() functions. Importantly though, a Firebase user's ID token doesn't always represent a Google user which makes it incompatible with allAuthenticatedUsers.
因此,您必须通过检查 context.auth ,其属性如下所示.
Because of this, you will have to gate your callable function in your code by checking context.auth and it's properties like below.
export const addMessage = functions.https.onCall((data, context) => {
if (!context.auth) {
// Throwing a HttpsError so that the client gets the error details.
throw new functions.https.HttpsError(
'failed-precondition',
'The function must be called while authenticated.'
);
}
// a valid user is logged in
// do work
});
关于403个禁止的错误的附录
如果您的函数在部署后始终抛出403错误,则可能是因为您使用的是Firebase CLI的过时副本,如 警告:默认情况下,与版本低于7.7.0的任何Firebase CLI一起部署的新HTTP和HTTP可调用函数均为私有,并在调用时引发HTTP 403错误.明确将这些功能公开或
Caution: New HTTP and HTTP callable functions deployed with any Firebase CLI lower than version 7.7.0 are private by default and throw HTTP 403 errors when invoked. Either explicitly make these functions public or update your Firebase CLI before you deploy any new functions. 这篇关于为什么我不能将`allAuthenticatedUsers`用于我的Firebase Cloud功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
