search

firebase / firebase-tools

The Firebase Command Line Tools
MIT License
4.03k stars 951 forks source link

Auth Emulator does not update auth_time when updating user #5990

Open ekimekim opened 1 year ago

ekimekim commented 1 year ago

I've encountered a difference in the behaviour of auth_time between the Firebase Auth emulator and the real Firebase Auth service. When updating a user's email (potentially other fields too, I have only tested with email) and requesting a new token at the same time, the returned token's auth_time is unchanged, but the user's validSince is updated so that the returned token is immediately invalid. In the real service, the same operation results in a token with an updated auth_time that matches the new validSince.

I believe this is due to https://github.com/firebase/firebase-tools/issues/3608 which made auth_time always match lastLoginAt. The modern code that does the same thing is here: https://github.com/firebase/firebase-tools/blob/d4d1952a119363caf7cbd8118eabc841bb5dcb8a/src/emulator/auth/operations.ts#L2418 When the email is updated, the lastLoginAt is not (which matches the real service's behaviour) but in this case auth_time should diverge from lastLoginAt and be updated.

It seems that the auth emulator does not currently compare auth_time in the token to validSince when accepting tokens, it compares iat instead. However firebase-admin-node does. I looked at firebase-admin-java and it seems to compare to iat only, at least at first glance. So it may be that the validation issue is a firebase-admin-node bug, not a firebase-tools one. But the auth_time still acts differently here compared to the real service so I think even in that case it's still worth fixing.

[REQUIRED] Environment info

firebase-tools: 11.19.0 firebase-admin-node: 11.2.0

Platform: Debian 10

[REQUIRED] Steps to reproduce

  1. Create a user with accounts:signUp and {"returnSecureToken": true}
  2. Wait a few seconds.
  3. Update the user with accounts:update, with {"email": "test@example.com", "idToken": <token from step 1>, "returnSecureToken": true}
  4. Attempt to validate the token from step 3 using firebase-admin's verifyIdToken method

[REQUIRED] Expected behavior

The token from step 3 validates correctly

[REQUIRED] Actual behavior

The token fails to validate due to auth_time being before validSince.

google-oss-bot commented 1 year ago

This issue does not seem to follow the issue template. Make sure you provide all the required information.

joehan commented 1 year ago

Thanks for reporting this @ekimekim! It seems like you correctly identified the issue here - feel free to make a PR if you feel up for it! Otherwise, someone from the Auth emulator team will take a look shortly