使用自定义令牌发布到Firestore导致请求的身份验证凭证无效.预期...有效的身份验证凭证
最终目标:Angular客户端会收到一个有效期为一小时的令牌,以便从FireStore查询数据.
Final goal: an Angular client receives a token valid for one hour in order to query data from FireStore.
产生概念证明并学习如何使用自定义令牌的步骤:
Steps to produce a prove of concept and learn how to work with Custom Tokens:
1-我使用Firebase工具在Firebase中创建了一个项目( https://console .firebase.google.com/project/firetestjimis/overview )
1 - I created a project in Firebase using firebase tool (https://console.firebase.google.com/project/firetestjimis/overview)
2-我添加了Firestore数据库并创建了一个集合.我选择生产而不是测试,因为此POC出于安全原因.
2 - I added Firestore database and created a collection. I chose production instead of test because this POC is aimed for security reasons.
3-我在Firebase/Authentication/Add User中手动添加了一个用户
3 - I added manually an user in Firebase/Authentication/Add User
4-我从添加的上述用户中复制了用户UID(以下使用)
4 - I copied User UID from above user added (it is used bellow)
5-我创建了一个非常简单的Firebase Cloud Function应用程序,以回复自定义令牌.基本上,我运行了firebase init,并将此代码添加到了index.tx
5 - I created a very simple firebase Cloud Function applications in order to answer back a Custom Token. Basically I ran firebase init and added this code in index.tx
import * as functions from 'firebase-functions';
import * as admin from "firebase-admin";
export const getCustomToken = functions.https.onRequest((request, response) => {
if (admin.apps.length < 1) { //Checks if app already initialized
admin.initializeApp();
}
const uid = "UID mentioned above";
admin.auth().createCustomToken(uid)
.then(function (customToken) {
console.log(customToken.toString);
response.send(customToken);
})
.catch(function (error) {
console.log("Error creating custom token:", error);
});
});
我通过遵循其他*答案
6-我可以从 https://us-central1-firetestjimis上成功获取自定义令牌.cloudfunctions.net/getCustomToken
7-我可以成功地将此自定义令牌发布到 https://www.googleapis .com/identitytoolkit/v3/relyingparty/verifyCustomToken 并像这样返回idTken
7 - I can successfully post this Custom Token to https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken and get back idTken like
{
"kind": "identitytoolkit#VerifyCustomTokenResponse",
"idToken": "eyJhbGciOiJSUzI1NiI ... .... aMorw",
"refreshToken": "AE0u-Ney9OJ04Z3xA7ACsmI1S637hXeuCTEdaEU9cxhhPnlwh-9q0X7QpSxVRIYdTdrTgXUbS9Q6yUdAWVeXzhGMiLLLHtwSWSoVSWnZs3Gp1Sb050tThNPQiSsSss8GkCigft3PTBkY4nIbRy3A5dA8FHCLbMYQSfKYqvu8To76UyMVCYONJOM",
"expiresIn": "3600",
"isNewUser": false
}
8-现在,我想向Firestore集合投掷一个简单的文档
8 - Now I want to post a simple docuemnt to Firestore collection throw
curl --location --request POST 'https://firestore.googleapis.com/v1/projects/firetestjimis/databases/(default)/documents/transfer' \
--header 'Authorization: Bearer /eyJhbGc ... ... iNaMorw' \
--header 'Content-Type: application/json' \
--data-raw '{
"fields": {
"id": {
"stringValue": "1"
},
"status": {
"stringValue": "fracasso"
}
}
}'
我得到这个错误:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
所以我的主要问题是:难道不是从 https://返回的idToken吗? www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken 是有效的令牌,可以到达相关的Firestore?
So my main question is: isn't that idToken returned from https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken a valid token to reach the related Firestore?
标头中的ID令牌前面有一个正斜杠,该斜杠不应该存在:
There is a forward slash before the ID token in the header that shouldn't be there:
--header 'Authorization: Bearer /eyJhbGc ... ... iNaMorw' \
^