Identity Platform / Firebase Error (auth/invalid-refresh-token) - node.js

I am in the process of upgrading an existing working Firebase Auth project to Identity Platform to benefit from the goodness of tenants.
I am currently testing this against the local emulator and am facing the following issues:
My users no longer show up in the emulator. I reckon, however, that
the behaviour is expected since I am creating users against a tenant
and no longer the default project users "pool"
The users do not show
up in the GCP console either. Yet, the getUserByEmail() method
in a Cloud Function returns the registered users. I therefore have no clue where these users are currently created...
Authenticating users via generateSignInWithEmailLink() works fine.
However, a few steps in the funnel after this, when using the await user?.getIdToken(true) method, I am getting the following error: Uncaught (in promise) FirebaseError: Firebase: Error (auth/invalid-refresh-token) and can't figure out why.
Interestingly, the user.getIdTokenResult() method works fine and does not yield any error.
My entire snippet:
const getCurrentUser = async (): Promise<Auth["currentUser"]> => {
return new Promise((resolve, reject) => {
const unsubscribe = onAuthStateChanged(
auth,
async (user) => {
if (user) {
if (document.referrer.includes("stripe")) {
// console.log({ user });
await user?.getIdToken(true);
console.log({ after: user });
}
state.isAuthenticated.value = true;
state.user.value = user;
try {
const { claims } = await user.getIdTokenResult();
state.claims.value = claims;
if (typeof claims.roles === "string") {
if (claims.active && claims.roles.includes("account_owner")) {
state.isActive.value = true;
}
}
} catch (e) {
console.log(e);
if (e instanceof Error) {
throw new Error();
}
}
}
unsubscribe();
resolve(user);
},
(e) => {
if (e instanceof Error) {
state.error.value = e.message;
logClientError(e as Error);
}
reject(e);
}
);
});
};
For reference, I am working with a Vue 3 / Vite repo.
Any suggestion would be welcome,
Thanks,
S.

Just a quick follow-up here for anyone looking for an answer to this.
I raised a bug report on the firebase-tools Github and:
Users not appearing in the Emulator UI: behaviour confirmed by the firebase team. The emulator does not not support multi-tenancy at the moment. In my experience, however, working with the emulator with multi-tenants, the basic functionalities seem to work: creating users, retrieving them. Impossible however to visualise them or export them.
Refresh token error: bug confirmed by the firebase team and in the process of being triaged. Will likely take some time before being fixed (if ever?). So for now, even if far from being ideal, I have added conditional checks to my code to skip the force refresh of the token on localhost. Instead, I log out and log back in with the users I am expecting to see some changes in the claims for, as this process does not error. Another solution would be to use an actual Firebase Auth instance and not the local emulator, but it feels a bit messy to combine localhost/emulator resources and actual ones, even with a dev account.
The GH issue: here.

Related

Listing Business Accounts under Google My Business API

I have authenticated against a Google Account and trying to fetch the Businesses on that account using the Google My Business API.
I can't seem to find any samples on how to do that using the Google NodeJS Client Libraries.
Here is what I tried:
async fetchGoogleMyBusinessAccounts() {
console.log(`Fetching GMB Accounts`);
let authCredentials= ...
const oauth2Client = initOAuth2Client(platform, authCredentials);
google.options({ auth: oauth2Client });
let gmbAccountManagement = google.mybusinessaccountmanagement(); //There seems to be an issue on this line
try {
let myBusinessAccounts = await gmbAccountManagement.accounts.list();
console.log(`Connected Accounts = ${JSON.stringify(myBusinessAccounts, null, 2)}`);
} catch (e) {
console.log(`Error Listing GMB Accounts`);
}
}
But the error I keep getting is:
Argument error: Accepts only string or object
I can't seem to figure out how what might be wrong and how best to get about this.
Any insights would be really appreciated.
I think you may be missing the API version:
const mybusinessaccountmanagement = google.mybusinessaccountmanagement('v1');

How can I add user info to conv.user.storage?

I'm using Actions Builder to create my chatbot and after user logins using Google I want to save his ID to storage variable.
This storage variable doesn't exist on conv.user.
So I do this:
if (conv.user.verificationStatus === 'VERIFIED') {
conv.user.storage = {};
conv.user.storage.id = str.rows[0].id;
console.log("STORAGE");
console.log(conv.user.storage.id);
}
But on Google Assistant it returns the error message and on my Webhook it's all good (no errors shown):
Google Assistant Error
What can I do to save/persist at least my user ID for future referings?
Since user has the Google Sign In process done once, every time he enters in your action you have his info on the request (payload). It´s automatically added to user storage.
You should store it on conv.user.params and refer to it in your code.
You may have a get and set method to help you with:
getUserId(conv) {
return conv.user.params.userId;
}
setUserId(conv, userId) {
try {
conv.user.params.userId = userId;
} catch (e) {
throw new error("Error setting USERID");
}
return userId;
}

How to listen for new users when using Firebase's listUsers()

The Firebase admin SDK for Node.js provides us with a way of retrieving every user in our project, as seen in the documentation here.
I have implemented this in my own code as follows:
const listAllUsers = (nextPageToken) => {
return new Promise((resolve, reject) => {
// List batch of users, 1000 at a time.
const customerUIDs = []
admin.auth().listUsers(1000, nextPageToken)
.then((listUsersResult) => {
listUsersResult.users.forEach((userRecord) => {
// check for customers by their claims
if (userRecord.toJSON().customClaims.customer) {
customerUIDs.push(userRecord.toJSON().uid)
}
})
if (listUsersResult.pageToken) {
// List next batch of users.
listAllUsers(listUsersResult.pageToken)
}
resolve(customerUIDs)
})
.catch((error) => {
reject(error)
})
})
}
...
// some
// more
// code
NB: When a user is created, we assign the custom claims of customer: true to specify that the user is a customer, not an admin. That happens in my Cloud functions, so no need to paste it here again.
My question is this:
This function above is a one-time operation. How do I listen for new users, and add them to the customerUIDs array?
The Admin SDK doesn't provide any way to listen for newly created users.
If you want to write some code that runs when a new user account is created, you should look into using an Authentication trigger provided by Cloud Functions.

Flutter app: How to implement a proper logout function?

I have a flutter App using Azure B2C authentication. To achieve this I use the flutter appAuth package. The login process works fine but appAuth does not provide a logout functionality. After logging in I get an access token. Until now my logout was to delete this access token.
The problem is, that Azure require a web app session lifetime of at least 15 minutes in the SignIn user flow. This means: If a user logs in and out within 15 minutes, he will automatically be logged in again. This makes a login with another user impossible.
I hope to fix this behavior with a real logout instead of only deleting the access tokens. In found the following line of code in the Azure Active Directory documentation. But I cannot manage to get it running. Any suggestions for a logout function?
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Fjwt.ms%2F
I followed the below source to implement the below log out function using app auth written by David White.
Future<void> _logOut() async {
try {
//for some reason the API works differently on iOS and Android
Map<String, String> additionalParameters;
if (Platform.isAndroid) {
//works on Android but will miss p parameter when redirected back to authorize on iOS
additionalParameters = {
"id_token_hint": _idToken,
"post_logout_redirect_uri": _redirectUrl
};
} else if (Platform.isIOS) {
// with p parameter when redirected back to authorize on iOS
additionalParameters = {
"id_token_hint": _idToken,
"post_logout_redirect_uri": _redirectUrl,
'p': '<tenantID>'
};
}
await appAuth.authorizeAndExchangeCode(
AuthorizationTokenRequest(
_clientId,
_redirectUrl,
promptValues: ['login'],
discoveryUrl: _discoveryURL,
additionalParameters: additionalParameters,
scopes: _scopes,
),
);
} catch (e) {
print(e);
}
setState(() {
_jwt = null;
});
}
source: https://www.detroitdave.dev/2020/04/simple-azure-b2c-flutter.html

Inconsistent - "The project id used to call the Google Play Developer API has not been linked in the Google Play Developer Console."

So here's the thing - I have a node.js backend server for my Android App. I am using the Google Play billing library, and using the backend to verify the purchase as google Docs recommend.
Now, all the other answers out there regarding this error seem to refer to a consistent problem.
My backend SOMETIMES verifies, and SOMETIMES comes back with this as an error, indicating that in fact, my service account IS linked (as shows up in my consoles).
I tried two different 3rd party libraries, and I have the same issue. Sometimes one will respond with verification success, while the other will say my account is not linked. Sometimes they are both negative, sometimes both positive.
It seems inconsistent.
var platform = 'google';
var payment = {
receipt: purchaseToken, // always required ... this is google play purchaseToken
productId: subID, // my subscription sku id
packageName: 'com.xxxxxx', // my package name
keyObject: key, // my JSON file
subscription: true, // optional, if google play subscription
};
var promise2 = iap.verifyPayment(platform, payment, function (error, response) {
/* your code */
if (error) {
console.log('error with iap, ' , error);
return true;
} else {
console.log('success with iap, response is: ', response);
return true;
}
});
I also tried with a different library, got same results:
var receipt = {
packageName: "com.xxxx",
productId: subID, // sku subscription id
purchaseToken: purchaseToken // my purchase token
};
var promise = verifier.verifySub(receipt, function cb(err, response) {
if (err) {
console.log('within err, was there a response? : ', response);
console.log('there was an error validating the subscription: ', err);
//console.log(err);
return true;
} else {
console.log('sucessfully validated the subscription');
// More Subscription info available in “response”
console.log('response is: ', response );
return true;
}
});
// return promises later.
Any else experience this issue?
TLDR; Create a new product ID.
I eventually found the answer. The problem was not with my code, or with permissions in the Google Developer Console OR the Google Play Console. Everything was set up correctly except for one thing.
Previously, before setting up Test License Accounts in Google Play Console, I had made an actual Subscription purchase with real money on my productID "X".
Then, after adding the same google account that bought the subscription as a test user, I continued to test results on the same subscription, productID "X".
Even though I had cancelled the REAL purchase, the actual expiration date was not for another month.
Therefore, I believe sometimes Google was getting confused when I would buy/cancel the purchase - confusing the test subscription with the real subscription.
Creating a new Product ID, and only using that, solved my problem, and purchases are verified consistently.

Resources