为什么我的 Firebase 云函数不能使用 `allAuthenticatedUsers`? [英] Why can't I use `allAuthenticatedUsers` for my Firebase Cloud Function?

问题描述

在使用 Firebase CLI 部署 Firebase 函数时，它们被配置为Cloud Functions Invoker 权限授予 allUsers.通过这样的设置，下面的代码可以按预期运行.

When deploying Firebase Functions using the Firebase CLI, they are configured so that the Cloud Functions Invoker permission is granted to allUsers. With such a setting the code below functions as expected.

Cloud Functions Invoker 权限也可以授予 allAuthenticatedUsers.但是，当我对 addMessage 实施此更改时，我只会使用以下代码收到 UNAUTHENTICATED 错误响应.

The Cloud Functions Invoker permission can also be granted to allAuthenticatedUsers. However, when I implement this change for addMessage, I only ever get a UNAUTHENTICATED error response using the code below.

为什么 allAuthenticatedUsers 不适用于此 Firebase 云功能?

Why won't allAuthenticatedUsers work for this Firebase Cloud Function?

注意:此问答是 Furkan Yurdakul 发布的现已删除问题的结果a>，关于为什么 allAuthenticatedUsers 没有为他的 Firebase 应用程序使用他的 Firebase 可调用函数

Note: This Q&A is a result of a now-deleted question posted by Furkan Yurdakul, regarding why allAuthenticatedUsers wasn't working with his Firebase Callable Function for his Firebase app

MWE 基于文档，带有addMessage在此处定义:/p>

MWE based on the documentation, with addMessage defined here:

firebase.auth().signInAnonymously() // for the sake of the MWE, this will normally be Facebook, Google, etc
  .then((credential) => {
    // logged in successfully, call my function
    const addMessage = firebase.functions().httpsCallable('addMessage');
    return addMessage({ text: messageText });
  })
  .then((result) => {
    // Read result of the Cloud Function.
    const sanitizedMessage = result.data.text;
    alert('The sanitized message is: ' + sanitizedMessage);
  })
  .catch((error) => {
    // something went wrong, keeping it simple for the MWE
    const errorCode = error.code;
    const errorMessage = error.message;

    if (errorCode === 'auth/operation-not-allowed') {
      alert('You must enable Anonymous auth in the Firebase Console.');
    } else {
      console.error(error);
    }
  });

推荐答案

简单地说，如果传递给 Cloud Function 的 ID 令牌代表一个 Google 帐户(通过 Firebase 或 Google 本身)，它有效，否则无效.

Simply put, if the ID token passed to a Cloud Function represents a Google account (that used Google Sign-In through Firebase or Google itself), it works, otherwise, it doesn't.

将 allAuthenticatedUsers 视为 allAuthenticatedGoogleUsers 而不是 allAuthenticatedFirebaseUsers.

Think of allAuthenticatedUsers as allAuthenticatedGoogleUsers instead of allAuthenticatedFirebaseUsers.

对于与 Firebase 客户端 SDK 一起使用的可调用的 Firebase 函数，您通常会授予allUsers 调用它的权限(默认设置 Firebase CLI 已部署函数).

For Callable Firebase Functions used with the Firebase Client SDKs, you will normally grant allUsers the permission to call it (the default setting Firebase CLI deployed functions).

针对 Google Cloud Functions 的有效的经过身份验证的客户端请求必须具有Authorization: Bearer ID_TOKEN 标头(首选)或 ?access_token=ID_TOKEN.此处，ID_TOKEN 是作为 JWT 的已登录 Google 用户的 ID 令牌.

A valid authenticated client request for a Google Cloud Functions must have an Authorization: Bearer ID_TOKEN header (preferred) or ?access_token=ID_TOKEN. Here, ID_TOKEN is a signed-in Google user's ID token as a JWT.

当 Firebase 客户端 SDK 调用可调用函数时，它们会使用当前用户的 ID 令牌(如果用户已登录，此处).这样做是为了可以在 上下文中使用用户的身份验证令牌 参数 onCall() 函数.但重要的是，Firebase 用户的 ID 令牌并不总是代表 Google 用户，这使其与 allAuthenticatedUsers 不兼容.

When Firebase Client SDKs call a Callable Function, they set the Authorization header for you with the current user's ID token (if the user is signed in, here). This is done so that the user's authentication token can be used in the context parameter of onCall() functions. Importantly though, a Firebase user's ID token doesn't always represent a Google user which makes it incompatible with allAuthenticatedUsers.

因此，您必须通过检查 context.auth 和它的属性如下.

Because of this, you will have to gate your callable function in your code by checking context.auth and it's properties like below.

export const addMessage = functions.https.onCall((data, context) => {
  if (!context.auth) {
    // Throwing a HttpsError so that the client gets the error details.
    throw new functions.https.HttpsError(
      'failed-precondition',
      'The function must be called while authenticated.'
    );
  }

  // a valid user is logged in

  // do work
});

---

关于 403 禁止错误的附录

如果您的函数在部署后始终抛出 403 错误，这可能是因为您使用的是过时的 Firebase CLI 副本，如文档:

注意:使用低于 7.7.0 版本的任何 Firebase CLI 部署的新 HTTP 和 HTTP 可调用函数默认是私有的，并且在调用时会抛出 HTTP 403 错误.明确公开这些功能或在部署任何新函数之前更新您的 Firebase CLI.

Caution: New HTTP and HTTP callable functions deployed with any Firebase CLI lower than version 7.7.0 are private by default and throw HTTP 403 errors when invoked. Either explicitly make these functions public or update your Firebase CLI before you deploy any new functions.

这篇关于为什么我的 Firebase 云函数不能使用 `allAuthenticatedUsers`?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！