Firebase Auth (401 unauthorized)

[kevinrobert3]

Medusa throws an error 401 when we call the function to get session cookie.

  if (user) {

        let token = await user.getIdToken()

        const res = await fetch("http://localhost:9000/admin/auth/firebase", {
          method: "GET",
          headers: {
            Authorization: Bearer ${token},
          },
          credentials: "include",
        })

This is an example using the onIdTokenChanged firebase function. We supply the token and still get unauthorized, with /store and /admin urls. The docs state this is the only required thing to do .i.e login user, get token, use it to call authUrl.

The verifyCallBack function in plugin however does log the decodedToken like

 ```
  {
    iss: 'https://securetoken.google.com/medu-proj',
   aud: 'medu-proj',
   auth_time: 1710181629,
   user_id: 'eeGO1t56xWow2JJONQxuQ5C3',
   sub: 'eeGO1t56xWh6OWNQxuQ5C3',
   iat: 1710234640,
  exp: 1710238240,
  email: 'rob@gmail.com',
  email_verified: false,
  firebase: { identities: { email: [Array] }, sign_in_provider: 'password' },
 uid: 'eeGO1t56xWh6OWoNQxuQ5C3'
 }
```

Copying the token and making call using Insomnia or Postman has the same unauthorized error.

Thought also the issue is in the middleware.ts that we have and have commented the code there and the unauthorized error is still there

This is a link to the Discord discussion too https://discord.com/channels/876835651130097704/1217042921187053609

[kevinrobert3]

Tried downgrading the plugin down to v1.8.1 following this discussion https://github.com/adrien2p/medusa-plugins/issues/97. But still does not work

[kevinrobert3]

And using this issue https://github.com/adrien2p/medusa-plugins/issues/116, checked if there is such a user(email) that exists in Medusa. Signed up new users using Firebase with random emails and still get the unauthorized error with Medusa

[adrien2p]

Hey there, sorry for the delay, but i am currently under water 🤣 i ll keep you in touch. Eventually, @dPreininger could help you 💪

[dPreininger]

Are you using custom verifyCallback function? If yes, the function needs to return { id: string } of the user/customer from Medusa database (not from Firebase but from Medusa). You can take a look at the default store example here: https://github.com/adrien2p/medusa-plugins/blob/main/packages/medusa-plugin-auth/src/core/validate-callback.ts#L77

[kevinrobert3]

I wanted to create the user in firebase and for Medusa to do the creation of user automatically. My understanding is that is what the plugin achieves. I am not using a custom verifyCallBack, this is what I have

admin: {
          // authPath: "/admin/auth/firebase",
          // expiresIn: 24 * 60 * 60 * 1000,
          verifyCallback: (container, decodedToken, strict) => {
            console.log("admin");
            console.log(container);
            console.log(decodedToken);
            console.log(strict);
          },
        },

and the code up top. Also my guess is the plugin receives the request and calls the verifyCallback? But all I get is 401 at admin/auth/firebase and store url auth.

Let me know I get that flow correctly, and where the custom verifyCallBack would go, if it is the missing piece. The docs only go login/create user(firebase), get token, use it to call authUrl, done at least for the most basic working

[dPreininger]

Yes, you do have custom verifyCallback function defined, if example above is your plugin config. That is the function that has the console.logs in it. Try it with this config:

{
    type: "firebase",
    strict: "none",
    identifier: "firebase",
    credentialJsonPath: "your-current-path",
    admin: {
    },
    store: {
    }
  }

So, remove verifyCallback function definitions from config and set strict to "none". This will most likely work.

[kevinrobert3]

No still 401. These are the server logs

::1 - - [19/Mar/2024:07:17:14 +0000] "OPTIONS /admin/auth/firebase HTTP/1.1" 204 0 "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
::1 - - [19/Mar/2024:07:17:16 +0000] "GET /admin/auth/firebase HTTP/1.1" 401 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"

And this the browser logs with response of call logged

Is this normal or a cors issue

[dPreininger]

Does the admin user even exist?

Can you run "SELECT email FROM user;" in your Postgres database to see?

[dPreininger]

Is this normal or a cors issue

It is not CORS, preflight call (OPTIONS call) is successful and you wouldn't even get any response code if CORS wouldn't succeed.

[kevinrobert3]

There is an admin user, have been using the email to do many operations across. They are the only user currently

[dPreininger]

Yes, but the credentials you sent above aren't for admin@medusa-test.com.

  {
    iss: 'https://securetoken.google.com/medu-proj',
   aud: 'medu-proj',
   auth_time: 1710181629,
   user_id: 'eeGO1t56xWow2JJONQxuQ5C3',
   sub: 'eeGO1t56xWh6OWNQxuQ5C3',
   iat: 1710234640,
  exp: 1710238240,
  email: 'rob@gmail.com',
  email_verified: false,
  firebase: { identities: { email: [Array] }, sign_in_provider: 'password' },
 uid: 'eeGO1t56xWh6OWoNQxuQ5C3'
 }

The email has to be the same.

[kevinrobert3]

Oh that works,, I was of the idea that I create in Firebase, send token to Medusa then Medusa automatically creates the account ❌. So the flow is, create in Medusa first, create in firebase too, then use firebase for any subsequent auth later ✅. I have so many questions around this like when a user changes their email. That would mean changing it in Medusa then doing the process in Firebase too, to keep the flow working. I am guessing V2 will handle some of this,

However, matching the emails works, thanks for the solution

[dPreininger]

You can do that with custom verifyCallback function.